Full opinion text
MEMORANDUM OPINION HUVELLE, District Judge. Before the Court are plaintiffs’ motions for summary judgment, defendants’ cross-motion for summary judgment, plaintiffs’ replies, defendants’ memorandum in support, plaintiffs’ supplemental memorandum, and defendants’ response thereto. Plaintiffs bring this action pursuant to the. Administrative Procedure Act (“APA”), 5 U.S.C. § 701, seeking judicial. review of regulations (the “Regulations”) that were promulgated by the defendant agencies to implement Title V, Subtitle A of the Gramm-Leach-Bliley Act, Pub.L. No. 106-102, 113 Stat. 1338 (1999) (codified as amended at 15 U.S.C.A. § 6801 'et seq. (2000)) (the “GLB Act”), which addresses the responsibility of financial institutions to protect the privacy of the personal financial information of their customers. Plaintiffs ask this Court to invalidate these Regulations and enjoin their enforcement. Plaintiffs contend that the Regulations are both unlawful and unconstitutional. They argue that the Regulations are invalid for five reasons: a) the definition of “nonpublic personal information” in the Regulations contravenes the statutory requirement that only financial information is subject to the GLB Act; b) the Regulations constitute an impermissible regulation of non-financial institutions by the agencies; c) the Regulations contradict a provision of the GLB Act that exempts consumer reporting agencies from the statute’s prohibition of the use of account numbers for marketing purposes; d) the Regulations impose a restriction on the use of noripublic personal information that is, inconsistent with the statute; and e) the Regulations modify the operation of the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq. (the “FCRA”), in contravention of the savings clause of the GLB Act. In addition, plaintiffs allege that the Regulations are unconstitutional for three reasons: a) they are overbroad and improperly restrict plaintiffs’ speech in violation of the First Amendment; b) they were enacted without the requisite adjudicative hearings, in violation of Trans Union’s Fifth Amendment right to due process of law; and c) they impose restrictions on plaintiff Trans Union that are not imposed on entities that are not consumer reporting agencies, in violation of the Fifth Amendment. Upon consideration of the pleadings and the record herein, this Court concludes the Regulations are lawful and constitutional. Summary judgment is therefore granted for defendants as to all counts. FACTUAL AND STATUTORY BACKGROUND I. The Parties and The Role of Consumer Reporting Agencies A. Trans Union and Its Products Plaintiff Trans Union (“Trans Union”) is a Delaware limited liability company with its principal place of business in Chicago, Illinois. (Trans Union Statement of Material Facts ¶ 1.) Trans Union is a “consumer reporting agency” (“CRA”), as defined in the FCRA, and it provides “consumer reports,” as defined at 15 U.S.C. § 1681a(d). The foundation of Trans Union’s business is its database, CRONUS, which contains information about consumers that is used to generate credit reports. (Trans Union Statement ¶ 16.) Although Trans Union gathers this data from over 85,000 entities, its main source of information is financial institutions, which generally provide this information in the form of accounts receivable tapes. (Trans Union Statement ¶¶ 17-19.) These tapes contain information — the name, address, zip code, and social security number, as well as information regarding the account itself— about each consumer that is reported by the financial institution. (Trans Union Statement ¶ 20.) Trans Union maintains this information in CRONUS, from which it generates credit reports. These reports contain two types of information: identifying information for each individual, and tradeline information describing the consumer’s account and payment history. (Trans Union Statement ¶ 22.) The identifying information includes the name, address, social security number, and telephone number of the consumers, and since this data is printed at the top of the report, it is typically referred to as “credit header” information. (Trans Union Statement ¶ 23.) Although financial institutions are the primary source of the identifying information, plaintiffs allege that the resulting credit header is the product of various sources, and that it therefore does not reveal the existence of a customer relationship with any specific financial institution. Trans Union alleges that three of its product lines will be affected by the Regulations and are therefore at issue in this litigation. First are Trans Union’s credit header products. In addition to including the header information in its credit reports, Trans Union sells this data separately to a number of business and governmental entities, which then use the information for both commercial and noncommercial purposes, including target marketing and fraud prevention. (See Trans Union Statement ¶¶ 27-44.) These products include “Trace,” which allows a customer of Trans Union to input an individual’s social security number and receive, in return, the name and address of that person (Trans Union Statement ¶ 29); “Retrace,” which enables a customer who has an individual’s name and address to obtain that person’s social security and phone numbers (Trans Union Statement ¶ 31); and “ID Search,” which permits a customer with a person’s name and phone number to obtain that individual’s social security number and current and former addresses from Trans Union. (Trans Union Statement ¶ 33.) Trans Union and other CRAs also sell credit header information to individual reference services, which typically work with government agencies to identify and locate individuals for a variety of purposes, including the prosecution of financial crimes and enforcement of child support orders. (Individual Reference Services Group (“IRSG”) Statement of Material Facts ¶¶ 11-14.) Similarly, private companies hire individual reference services to help detect and prevent fraud, and health organizations use their products to identify blood and organ donors. Media and political campaign organizations may use individual references services to verify the identities of campaign donors. (IRSG Statement ¶ 15-16.) Second, Trans Union offers a line of target marketing products that provide both credit header and tradeline information. These target marketing lists are designed to identify consumers who may be interested in purchasing the particular goods or services that are offered by customers of Trans Union. (Trans Union Statement ¶ 45.) Typically, a targeting marketing list provides a customer with the names and addresses of individuals who live in a household that meets particular criteria, such as having a bank card or a home mortgage. (Trans Union Statement ¶¶ 46-47.) One of these products is “TransLink,” a program that allows a retailer to identify the names and addresses of customers who have made purchases from that retailer with a credit card. A retailer who has obtained the name and credit account number of a customer sends this information to Trans Union, which in response provides a corresponding name and address using the information stored in CRONUS. (Trans Union Statement ¶¶ 47, 55-56.) Third, Trans Union uses information that it receives from financial institutions to prepare aggregate or average data on consumers. Trans Union’s SUM-it product, for example, creates aggregate financial information, such as the average mortgage and bank card balance, for consumers who live within a particular zip code, zip code-plus-two digits, or zip code-plus-four digits. (Trans Union Statement ¶ 48.) The information in the SUM-it database is then used to create models that predict consumers’ financial characteristics or their propensity to purchase certain goods or services. This aggregate information is then made available to marketing firms. (Trans Union Statement ¶ 49.) Individual information reported by financial institutions about particular customers is not disclosed in this material. B. IRSG and Credit Header Information Plaintiff Individual Reference Services Group, Inc. is a non-stock corporation organized exclusively as a nonprofit trade association under the laws of the state of Maryland. (IRSG Statement ¶ 1.) IRSG represents leading information industry companies, including major CRAs, that provide information to help identify, verify, or locate individuals. IRSG represents CRAs, which obtain credit header information directly from financial institutions, and other entities to whom the CRAs provide credit header data. Trans Union is a member of IRSG. Plaintiff IRSG contests only the regulation of credit header information under the GLB Act; unlike Trans Union, it does not challenge the effects of the agencies’ Final Rules on target marketing lists or aggregate data. C. The Defendant Agencies The defendants in this action are the Federal Trade Commission (“FTC”), Board of Governors of the Federal Reserve System (“Board”), Federal Deposit Insurance Corporation (“FDIC”), Office of the Comptroller of the Currency (“OCC”), Office of Thrift Supervision (“OTS”), the National Credit Union Administration (“NCUA”), and them respective heads. These agencies are responsible for the administration and enforcement of Title V of the GLB Act, as well as other related statutes. The FTC and NCUA are independent agencies of the United States government; the Board administers the Federal Reserve System; the FDIC is a corporation organized under federal law; and OCC and OTS are divisions of the United States Department of the Treasury. Defendants are six of the seven agencies that promulgated regulations addressing, among other issues, the use and disclosure of “nonpublic personal information” pursuant to the GLB Act. These are the Regulations challenged in this action. (Trans Union Statement ¶¶ 2-12.) II. The FCRA An understanding of the legal issues in this case begins with an explanation of the FCRA, which provides a comprehensive regulatory scheme governing CRAs, in-eluding Trans Union. Enacted on October 26, 1970, the statute was drafted in an effort to balance the conflicting needs of commerce and consumer protection; its stated purpose was “to require that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer....” 15 U.S.C. § 1681(b). Specifically, the Act requires CRAs to “follow reasonable procedures to assure maximum possible accuracy of the information concerning the individual about whom the report relates.” 15 U.S.C. § 1681e(b). To ensure the accuracy of this data, CRAs must make available to customers “all information in the consumer’s file at the time of the request,” § 1681g(a)(l), and promptly investigate any consumer dispute regarding “any item of information.” § 1681i(a)(l)(A). The FCRA also requires CRAs to report the results of any investigation and to correct any inaccurate information. § 1681i(a)(5). The financial institutions that report information to CRAs are subject to similar requirements under the Act. § 1681s-2. The FCRA does not regulate the disclosure of all information that CRAs receive from financial institutions. Instead, the statute sets forth the permissible purposes for which a CRA may disclose information via a “consumer report.” Under the statute, a consumer report is “the communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for [credit, insurance, employment, or other authorized purposes].” § 1681a(d)(l). Under the 1996 amendments to the Act, Congress expanded the permissible uses of consumer report information to include credit and insurance target marketing, including firm offers of credit or insurance that are not initiated by the consumer. § 1681b(c). These amendments also require CRAs to establish procedures for consumers to opt out of this target marketing and to notify consumers of their opt-out rights. §§ 1681b(e), 1681m(d). The FCRA does not regulate the dissemination of information that is not contained in a “consumer report.” In 2000, the FTC stated that the “credit header” data at issue in this litigation — -the name, address, social security number, and phone number of the consumer — was not subject to the FCRA because it “does not bear on creditworthiness, credit capacity, credit standing, character, general reputation, personal characteristics, or mode of living, unless such terms are given an impermissibly broad meaning.” (Trans Union Index, Ex. F, In the Matter of Trans Union Corp., Docket No. 9255, Feb. 10, 2000, at 30.); 15 U.S.C. § 1681a(d)(1). Both sides agree that credit header information is not currently subject to the FCRA. (Trans Union Memorandum at 9.) In contrast, the Court of Appeals for this Circuit has recently upheld the FTC’s determination that target marketing lists are “consumer reports” under the FCRA and are therefore subject to the provisions of that statute. In Trans Union v. FTC, 245 F.3d 809 (D.C.Cir.2001), the Court found that lists of names and addresses of individuals who fall into particular categories based on tradeline information — for example, their credit limits, open dates of loans, number of tradelines, type of trade-lines (such as an auto loan or mortgage), or the mere existence of a tradeline— qualify as consumer reports. These categories, the Court found, were exactly the type of information considered by lenders in determining who was eligible for a loan or credit. Lists of names and addresses of consumers based on those categories, therefore, are covered by § 1681a(d)(l) of the FCRA. Trans Union, 245 F.3d 809, 815-16. III. The GLB Act The Federal Financial Modernization Act, commonly known as the Gramm-Leach-Bliley Act, was passed by Congress and signed by President Clinton in November 1999. The purpose of the GLB Act was “to enhance competition in the financial services industry by providing a prudential framework for the affiliation of banks, securities firms, insurance companies, and other financial service providers....” H.R. Conf. Rep. No. 106-434, at 245 (1999), reprinted in 1999 U.S.C.C.A.N. 245, 245. Congress intended that increased competition would benefit consumers by enhancing the availability of financial products and services and by allowing domestic financial services firms to better compete globally. H.R.Rep. No. 106-74, pt. 3, at 98 (1999). At the same time, Congress realized that such a structure could exacerbate the concerns of consumers regarding the dissemination of personal financial information. For example,' banks, insurance companies, and securities firms have the capacity to know more about an individual’s spending habits than ever before, and could use this information for many purposes, including unwanted marketing and solicitation. See H.R. Rep. 106-74, pt. 3, at 106-07 (June 15, 1999) (“As a result of the explosion of information available via electronic services such as the Internet, as well as the expansion of financial institutions through affiliations and other means as they seek to provide more and better products to consumers, the privacy of data about personal financial information has become an increasingly significant concern of consumers.”) To balance these interests, the Act provides consumers with the power to choose how their personal information will be shared by financial institutions. As the Act states, “It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.” 15 U.S.C. § 6801. During debates in Congress, legislators noted that the proposed Act would “provide some of the strongest privacy protections to ever be enacted into any federal law,” 145 Cong. Rec. Hll, 539-40 (daily ed. Nov. 4, 1999) (statement of Rep. Vento), and would “represent the most comprehensive federal privacy protections ever enacted by Congress.” 145 Cong. Rec. Hll,544 (daily ed. Nov. 4, 1999) (statement of Rep. Sandlin). A. The Legislative History On May 6, 1999, the Senate approved S. 900, the Financial Services Modernization Act of 1999, a precursor to the GLB Act. That bill did not contain provisions protecting the disclosure of personal information. The House Commerce Committee, which was the first body to address privacy issues in the bill, proposed provisions to provide “protections for the privacy of customers of financial institutions, [including] put[ting] into place procedures to protect the confidentiality and security of nonpublic personal information collected in connection with any transaction of their customers.” H.R.Rep. No. 106-74, pt. 3, at 200. The Committee defined “nonpublic personal information” as “personally identifiable information, other than publicly available directory information, pertaining to an individual’s transactions with a financial institution.” H.R. 10, 106th Cong., 1st Sess § 509(4). (1999). Language containing the definition of “nonpublic personal information” was added to the House bill through an amendment introduced by Representative Michael Oxley on July 1, 1999. 145 Cong. Rec. H5308 et seq. (daily ed. July 1, 1999). Industry groups objecting to broader restrictions on the disclosure of personal information, as well as advocates for greater privacy protections, testified at hearings on the amended bill later that month. For example, Richard Barton, the Senior Vice President for Congressional Relations of the Direct Marketing Association, expressed concern that “the definition of nonpublic personal information [was] unclear because [it tended to] blur the differences between personally identifiable financial information and other types of personally identifiable information, [and] might be read to interfere seriously with the use of certain non-financial identifying information to make marketing databases more accurate.” House Banking Subcommittee Hearing (July 20, 1999), at <http://%mm .house.gov/banking/72099rba.htm> at 5. In contrast, other participants testified that it was important to restrict the unauthorized disclosure of certain sensitive personal information, including names and addresses. Representatives of federal agencies testified that consumers consider information that they provide to financial institutions in order to obtain a financial product to be “private.” See, e.g., Statement of Edward Gramlich, Member, Board of Governors, The Federal Reserve System, House Banking Subcommittee Hearing (July 21, 1999), at < http://commdocs. house.gov/ committees/bank/hba58S08 — 0.htm> at 128 (private information includes “information that banking and other financial institutions derive from their relationships with customers [such as] information submitted by a customer in order to obtain a loan”). After hearing testimony from both sides, the House declined industry’s request to narrow the bill’s definition of “nonpublic personal information.” As enacted, the statute defines “nonpublic personal information” (“NPI”) as “personally identifiable financial information [ (TIFT) ](i) provided by a customer to a financial institution; (ii) resulting from any transaction with the consumer or any service performed for the consumer; or (iii) otherwise obtained by the financial institution.” 15 U.S.C. § 6809(4). The GLB Act does not, however, define the term “personally identifiable financial information.” Several members of Congress discussed the meaning of this provision. Sponsor Oxley noted that the bill called for “the responsible sharing of consumer information .... ” 145 Cong. Rec. H5310 (daily ed., July 1, 1999). Co-sponsor Deborah Pryce said that “for the first time ever we will require that financial institutions give their customers a right to just say no to the sharing of what most Americans hold very, very dear: private information about themselves and their families,” including “addresses and phone numbers,” in order to protect consumers from “random telemarketing and junk mail.” 145 Cong. Rec. H5312 (daily ed. July 1, 1999). Representative Bereuter, a member of the House Committee on Banking and Financial Services, noted, “These privacy provisions are a pioneering, landmark advance forward by Congress in ensuring that consumers’ personal information is protected from unwanted disclosures by financial institutions.” 145 Cong. Rec. Hll,546 (daily ed. Nov. 4,1999). Other aspects of the statute that are at issue in this case were added by a joint HouseSenate ■ Conference Committee, which convened in September 1999 to reconcile the differences between the versions of the bill. First, the Joint Conference Committee included a “savings” provision to address the relationship between the GLB Act and the FCRA; this clause provided that “nothing in this chapter shall be construed to modify, limit, or supersede the operation of the Fair Credit Reporting Act....” 15 U.S.C. § 6806; H.R. Conf. Rep. No. 106^434, at 171 (1999). Second, the Joint Committee added a consumer reporting agency exception to the Act’s blanket prohibition against disclosing account numbers to third parties for use in telemarketing, direct mail marketing, or other electronic mail marketing. H.R. Conf. Rep. No. 106-434, at 172. “A financial institution shall not disclose, other than to a consumer reporting agency, an account number or similar form of access number or access code for a credit card account, deposit account, or transaction account of a customer to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.” 15 U.S.C. § 6802(d). B. Administrative Rulemaking 1. The Rulemaking Proceedings Under the GLB Act, the defendant agencies were to issue regulations implementing provisions of the statute. These regulations describe, for example, the conditions under which financial institutions may disclose nonpublic personal information about consumers to nonaffiliated third parties, require such institutions to provide notice to their customers about privacy policies, and subject to certain exceptions, permit the consumer to opt out of this transmission of information. The Regulations define the limits on the disclosure of nonpublic personal information by financial institutions, as well as the conditions under which a nonaffiliated third party that receives this information may redisclose or use it. See, e.g., FTC Final Rule, 16 C.F.R. §§ 313.10-313.12 (2000). It is these Regulations that are at issue in this litigation. In particular, the agencies drafted a set of proposed rules as to which they solicited public comments. The draft rules attempted to define the term • “personally identifiable financial information” in 15 U.S.C. § 6809(4); the agencies proposed that personally identifiable information was financial if it was provided by a consumer, resulted from a transaction, or was otherwise obtained about a consumer by a financial institution in connection with providing a financial product or service to a consumer. See, e.g., FTC Notice of Proposed Rulemaking, “Privacy of Consumer Financial Information,” 65 Fed.Reg. 11,-174, 11,178 (March 1, 2000) (“FTC Proposed Rule”); Joint Notice of Proposed Rulemaking, “Privacy of Consumer Financial Information,” 65 Fed.Reg. 8770, 8773 (Feb. 22, 2000) (“Banking Agencies’ Proposed Rule”). To demonstrate the operation of the proposed definition, accompanying- examples explained that information that a consumer provides on an application to obtain a loan, credit card, or insurance would fall within this definition. 65 Fed. Reg. at 11,178. The agencies sought comments on the proposed definition, including comments relating to the fact that the term might include information “that may not be considered intrinsically financial.” 65 Fed.Reg. at 8774,11,178. More than 9,000 comments were submitted in response to the proposed rules. Comments concerning the definition of “personally identifiable financial information” were submitted by opposing groups. Industry groups argued that certain identifying information that was not intrinsically financial should not be considered within the definition. These entities contended that the proposed definition — when coupled with the Act’s limits on reuse and redisclosure — would restrict the flow of credit header information by preventing CRAs from disseminating such information. The net effect, they argued, would be to threaten the availability of highly reliable information used for socially beneficial purposes, such as combating fraud and locating missing individuals. See, e.g., FTC Record at 300,852 (Comment of Equi-fax that “the Proposed Rule functionally reads the word ‘financial’ out of the phrase ‘personally identifiable financial information’ ”); FTC Record at 300,932-33 (Comment of Experian Information Solutions to same effect); FTC Record at 301,638 (Comment of Trans Union to same effect); FTC Record at 301,964 (Comment of IRSG to same effect); FTC Record at 301,954 (Comment of Direct Marketing Association, Inc. to same effect). In contrast, consumer groups and state lawmakers filed comments urging the agencies to prevent the disclosure of personal information. See, e.g., FDIC Record at 105,158 (Comment of Consumers Union: Consumer Federation of America agreeing with the proposed definition of “personally identifiable financial information” because “any information collected by an institution about an individual should be defined as ‘personally identifiable’.... In these instances, but for the financial nature of the relationship, the information would not be collected.”); FTC Record at 300,973 (comment of Privacy Rights Clearinghouse to same effect); FDIC Record at 102,300 (Comment of Center for Democracy and Technology to same effect); OTS Record at 601,246 (Comment of Privacy Rights Clearing House to same effect); FDIC Record at 103,067, Board Record at 203,-140 (Letter signed by thirty-three state Attorneys General). These commentators felt that the proposed rules did not go far enough toward protecting consumer privacy, leaving too many loopholes for personal information to be shared without an individual’s consent. Id. Several Members of Congress also filed comments in support of these arguments. FTC Record at 300,-541-48, OTS Record at 601,536-43 (Comment of Congressional Privacy Caucus). 2. The Final Rules Following the Notice and Comment period, the agencies promulgated their Final Rules. They defined “nonpublic personal information,” in part, as “personally identifiable financial information.” 16 C.F.R. § 313.3(n)(l)(i). In turn, the Regulations defined “personally identifiable financial information” as information “(i) [a] consumer provides to you to obtain a financial product or service from you; (ii)[a]bout a consumer resulting from any transaction involving a financial product or service between you and a consumer; or (in) you otherwise obtain about a consumer in connection with providing a financial product or service to that consumer.” 16 C.F.R. § 313.3(o)(l). In other words, “any information should be considered financial information if it is requested by a financial institution for the purpose of providing a financial service or product.” FTC Final Rule, “Privacy of Consumer Financial Information,” 65 Fed. Reg. 33,646, 33,658 (May 24, 2000); see Banking Agencies’ Final Rule, “Privacy of Consumer Financial Information,” 65 Fed.Reg. 35,162, 35,171 (June 1, 2000). In response to comments from industry groups objecting to the inclusion of name, address, and social security number in the definition of personally identifiable financial information, the FTC explained: [Financial institutions rely on a broad range of information that they obtain about consumers, including information such as addresses and telephone numbers, when providing financial products or services. Location information is used by financial institutions to provide a wide variety of financial services, from the sending of checking account statements to the disbursing of funds to a consumer. Other information, such as the maiden name of a consumer’s mother, often will be used by a financial institution to verify the consumer’s identity. The Commission concluded that it would be inappropriate to carve out certain terms of information that a particular financial institution might rely on when providing a particular financial product or service. FTC Final Rule, 65 Fed.Reg. at 33,658. The other agencies adopted nearly identical reasoning. See, e.g., Banking Agencies’ Final Rule, 65 Fed.Reg. at 35,171. The Final Rules were issued in spring 2000 and became effective as of November 13, 2000, with full compliance required by July 1, 2001. This litigation rapidly ensued. LEGAL ANALYSIS I. Standards of Review for Plaintiffs’ APA Claims Both plaintiffs have moved for summary judgment. A party is entitled to summary judgment where “there is no genuine issue as to any material fact and the moving party is entitled to judgment as a matter of law.” Fed.R.Civ.P. 56(c). Summary judgment is an appropriate mechanism for resolving cases involving administrative rulemaking on the record, particularly where, as here, the case turns chiefly on issues of statutory construction. See Troy Corp. v. Browner, 120 F.3d 277, 281 (D.C.Cir.1997). Plaintiffs raise four primary claims under the APA. First, plaintiff IRSG, joined by Trans Union, argues that defendants’ definition of “personally identifiable financial information” violates the APA for three reasons. Plaintiffs contend that this definition (1) conflicts with the plain language of the GLB Act; (2) is not a reasonable and permissible construction of the statute; and (3) is arbitrary and capricious because it does not further the express purposes of the Act. Second, Trans Union argues that it is not a “financial institution” covered by the GLB Act, and therefore, the agencies have no authority to regulate it under the Act. With regard to this claim, Trans Union asserts only a plain language argument— that the regulation of Trans Union by the Act violates the unambiguous meaning of the statute. Third, Trans Union argues that the Regulations violate the plain meaning of § 502(d) of the GLB Act, 15 U.S.G. § 6802(d). Trans Union argues that this section grants a special exemption to CRAs from the statute’s prohibition on the use of account numbers for marketing purposes, and that the Regulations conflict with the clear language of this exemption. Finally, Trans Union contends that defendants’ Regulations restricting the use and redisclosure of nonpublic personal information that is provided to a CRA in accordance with the Fair Credit Reporting-Act violates the APA. With respect to this claim, Trans Union makes four arguments: 1) the use restrictions violate the plain meaning of the GLB Act; 2) these regulations contradict the plain meaning of the statute’s “savings” clause, 15 U.S.C. § 6806, which mandates that the GLB Act not be “construed to modify, limit, or supersede the operation of the Fair Credit Reporting Act,” Id.; 3) the use restrictions are an impermissible construction of the GLB Act; and 4) the use restrictions are arbitrary and capricious because the agencies have failed to justify them in the record. A. Chevron Claims that contest an agency’s construction of a statute it administers are ordinarily subject to the standard of review articulated in Chevron U.S.A., Inc. v. Natural Resources Defense Council, Inc., 467 U.S. 837, 104 S.Ct. 2778, 81 L.Ed.2d 694 (1984). In Chevron, the Supreme Court mandated a two-step process for reviewing an agency’s construction of a statute it administers. First, a court considers whether Congress spoke directly to the question at issue: if so, “that is the end of the matter, for the court, as well as the agency, must give effect to the unambiguously expressed intent of Congress.” Id. at 842-43, 104 S.Ct. 2778. If, however, the statute is unclear, “the question for the court is whether the agency’s answer is based on a permissible construction of the statute.” Id. at 843, 104 S.Ct. 2778. In answering that question, “considerable weight should be accorded to an executive department’s construction of a statutory scheme it is entrusted to administer.” Id. at 844, 104 S.Ct. 2778. The rationale for this deference is that the agency’s decision as to the meaning of the statute involves “reconciling conflicting policies and a full understanding of the force of the statutory policy ... [and] depend[s] upon more than ordinary knowledge respecting the matters subjected to agency regulations.” Id. In short, “a court may not substitute its own construction of a statutory provision for a reasonable interpretation made by the administrator of an agency.” Id. In an attempt to avoid the deference owed an agency under Chevron, plaintiffs present a range of creative arguments. First, plaintiffs argue that Chevron deference does not apply where, as here, Congress has directed numerous agencies to administer the statute. Second, plaintiffs contend that, regardless of Chevron, the Court is obliged to construe the GLB Act to avoid the constitutional difficulties raised by the agencies’ Regulations. The Court rejects plaintiffs’ contention that Chevron should not apply. The Regulations were the result of a statutorily coordinated effort among all the defendants. Plaintiffs’ initial argument — that Chevron is not the proper standard for regulations promulgated by multiple agencies — stretches precedent. One line of cases that plaintiffs cite actually stands for the proposition that Chevron deference does not apply to interpretations of statutes of general applicability, such as the Privacy Act, which are administered by a number of agencies, none of which has particular expertise in the substance of the statute — the policy basis for Chevron’s holding. See Bowen v. American Hosp. Ass’n, 476 U.S. 610, 642 n. 30, 106 S.Ct. 2101, 90 L.Ed.2d 584 (1986) (no deference to one agency’s interpretation of the Rehabilitation Act); Proffitt v. FDIC, 200 F.3d 855, 860 (D.C.Cir.2000) (agency interpretation of a statute of limitations); Benavides v. U.S. Bureau of Prisons, 995 F.2d 269, 272 n. 2 (D.C.Cir.1993) (agency interpretation of the Privacy Act). A second line of cases that plaintiffs cite is similarly inapposite. Those cases hold that Chevron deference does not apply to only one agency’s interpretation of a statute administered by multiple agencies. Salleh v. Christopher, 85 F.3d 689, 691-92 (D.C.Cir.1996); Wachtel v. OTS, 982 F.2d 581, 585 (D.C.Cir.1993) (no deference to OTS interpretation of statute that was also administered by the Board, the FDIC, and the Comptroller of Currency). Where, as here, the subject matter of the statute falls squarely within the agencies’ areas of expertise, and the Regulations were issued as a result of a statutorily-coordinated effort among the agencies, Chevron is the governing standard. National Treasury Employees Union v. MSPB, 743 F.2d 895, 916-17 (D.C.Cir.1984). Plaintiffs also attempt to evade Chevron by arguing that, because the agencies’ Regulations give rise to serious constitutional issues, the Court should not defer to their interpretation. While it is true that this Court reviews constitutional questions de novo, deference to the agencies’ actions is not denied simply because plaintiffs have raised constitutional arguments. For deference to be rejected, plaintiffs challenges must rise to the level of “serious” or “grave constitutional issues.” Chamber of Commerce v. FEC, 69 F.3d 600, 604 (D.C.Cir.1995). If not, as this Circuit explained in Republican National Committee v. FEC, 76 F.3d 400 (D.C.Cir.1996), Chevron still applies. “Because we can easily resolve the Committees’ First Amendment challenges through the application of controlling precedent ... we do not face the sort of serious constitutional questions that would lead us to assume Congress did not intend to authorize [the regulation’s] issuance.” Id. at 409 (internal quotations omitted). As in Republican National Committee, the instant plaintiffs’ constitutional arguments can be “easily resolved” through “controlling precedent” and therefore do not rise to the level of “grave constitutional issues” necessary to eliminate Chevron deference. See also Rust v. Sullivan, 500 U.S. 173, 191, 111 S.Ct. 1759, 114 L.Ed.2d 233 (1991) (holding that the regulations at issue did not “raise the sort of grave and doubtful constitutional questions that would lead us to assume Congress did not intend to authorize their issuance”). B. Arbitrary and Capricious Plaintiffs also challenge the Regulations under the “arbitrary and capricious” standard in the APA, which requires the Court to review whether the agency actions are “arbitrary, capricious, an abuse of discretion, or otherwise not in accordance with law.” 5 U.S.C. § 706(2)(A). While challenges under § 706(2)(C) — which follow the test set forth in Chevron — are directed primarily at the decision of the agency, § 706(2)(A) actions focus mainly on the decision-making process and rationale behind agency action. Michigan v. EPA, 213 F.3d 663, 682 (D.C.Cir.2000), cert. denied sub nom., — U.S. —, 121 S.Ct. 1225, 149 L.Ed.2d 135 (2001). While the standards of review for these types of challenges overlap, they are not identical: an agency’s interpretation may survive analysis under Chevron but still be struck down as arbitrary and capricious. American Petroleum Inst. v. EPA, 216 F.3d 50, 57-58 (D.C.Cir.2000); Michigan v. EPA 213 F.3d at 682. In reviewing the action of the agencies under § 706(2)(A), the Court must engage in a “thorough, probing, in-depth review,” Citizens to Preserve Overton Park, Inc. v. Volpe, 401 U.S. 402, 415, 91 S.Ct. 814, 28 L.Ed.2d 136 (1971), to determine whether the agencies have “examine[d] the relevant data and artieulate[d] a satisfactory explanation for its action.... ” Motor Vehicle Manufacturer’s Ass’n v. State Farm Mutual Ins. Co., 463 U.S. 29, 43, 103 S.Ct. 2856, 77 L.Ed.2d 443 (1983). “In thoroughly reviewing the agency’s actions, the Court considers whether the agency acted within the scope of its legal authority, whether the agency has explained its decision, whether the facts on which the agency purports to have relied have some basis in the record, and whether the agency considered the relevant factors.” Fund for Animals v. Babbitt, 903 F.Supp. 96,105 (D.D.C.1995) (citing Marsh v. Oregon Natural Resources Council, 490 U.S. 360, 378, 109 S.Ct. 1851, 104 L.Ed.2d 377 (1989); Citizens to Preserve Overton Park, 401 U.S. at 415-16, 91 S.Ct. 814; Professional Drivers Council v. Bureau of Motor Carrier Safety, 706 F.2d 1216, 1220 (D.C.Cir.1983)). Conclusory statements are insufficient to meet this requirement. Dickson v. Secretary of Defense, 68 F.3d 1396, 1405 (D.C.Cir.1995). “Normally, an agency rule would be arbitrary and capricious if the agency has relied on factors which Congress had not intended it to consider, entirely failed to consider an important aspect of the problem, offered an explanation for its decision that runs counter to the evidence before the agency, or is so implausible that it could not be ascribed to a difference in view or the product of agency expertise.” Motor Vehicle Mfrs. Ass’n., 463 U.S. at 43, 103 S.Ct. 2856. The scope of review under this standard, however, is narrow, and a court is not to substitute its view for that of the agency. Id. Moreover, an agency’s decision must be upheld under this standard “if the agency’s path may reasonably be discerned” and will only be reversed where “there has been a clear error of judgment.” Id. (citations omitted). II. Plaintiffs’ APA Claims Having set forth the relevant standards of review under the APA, the Court turns now to plaintiffs’ four arguments for invalidating the Regulations. A. Is Credit Header Data “Personally Identifiable Financial Information”? 1. Chevron Step One Plaintiffs argue that the agencies’ definition of “personally identifiable financial information” conflicts with the unambiguous meaning of the statute, and that under the first step of Chevron, defendants’ interpretations of several provisions of the Act should therefore not be accorded any deference. “[W]hen a statute is clear and unambiguous, consideration of administrative interpretation contrary to such language is inappropriate; the agency cannot by its interpretation, override the congressional will as memorialized in the statutory language.” Mylan Pharm., Inc. v. Henney, 94 F.Supp.2d 36, 47 (D.D.C.2000) (internal quotations omitted). “Under the first step of Chevron, the reviewing court must first exhaust the traditional tools of statutory construction to determine whether Congress has spoken to the precise question at issue.” Bell Atlantic Telephone v. FCC, 131 F.3d 1044, 1047 (D.C.Cir.1997) (internal quotations omitted). In 15 U.S.C. § 6809(4)(A), Congress defined NPI as “personally identifiable financial information — (i) provided by a customer to a financial institution; (ii) resulting from any transaction with the customer or any service performed for the customer; or (iii) otherwise obtained by the financial institution.” 15 U.S.C. § 6809(4)(A). The GLB Act provides no definition of “personally identifiable financial information.” The Regulations promulgated by the agencies fill this gap. Under the Final Rules, PIFI is “any information: (i)[a] consumer provides to [a regulated financial institution] to obtain a financial product or service ... (ii)[a]bout a consumer resulting from any transaction involving a financial product or service between [a regulated financial institution] and a consumer; or (iii) [a regulated financial institution] otherwise obtain[s] about a consumer in connection with providing a financial product or service to that consumer.” 16 C.F.R § 313.3(o)(l). Plaintiffs contend that this definition effectively reads the word “financial” out of the phrase “personally identifiable financial information,” because it applies to any information provided to or otherwise obtained by the financial institution about a consumer. Under the agencies’ definition of PIFI, plaintiffs argue, credit header information is improperly subsumed within the ambit of the GLB Act. Whether the phrase “personally identifiable financial information” is an unambiguous term — and, as a corollary, whether defendants’ interpretation violates any plain meaning of that term — presents a challenging question. However, based on the language, structure, and legislative history of the GLB Act, this Court concludes that “personally identifiable financial information” is an ambiguous term in the Act and that the agencies’ interpretation is therefore entitled to deference. “The first traditional tool of statutory construction focuses on the language of the statute.” Bell Atlantic, 131 F.3d at 1047. Plaintiffs cite the dictionary definition of “financial” as “pertaining to monetary receipts and expenditures; pertaining to or relating to money matters; pecuniary ... of or pertaining to those commonly engaged in dealing with money or credit.” (IRSG Mem. at 30.) Consequently, plaintiffs argue that defendants’ definition of “personally identifiable financial information” as all information that a customer provides to a financial institution (or that the financial institution otherwise obtains about the customer) conflicts with the plain meaning of “financial” — thereby effectively eliminating any financial component from the Act’s phrase “personally identifiable financial information.” The Court finds this argument to be somewhat too simplistic, since one meaning plaintiffs expressly suggest as a dictionary definition of “financial” is “of or pertaining to those commonly engaged in dealing with money or credit.” Under that definition, all information provided by a customer to a bank, for example, would likely qualify as “financial,” because once disclosed by the customer, it becomes information that is “of or pertaining to” the bank. It is also necessary to examine § 6809(4)(A) in the context of the entire statute. “In determining whether Congress has specifically addressed the question at issue, the court should not confine itself to examining a particular statutory provision in isolation. Rather, it must place the provision in context, interpreting the statute to create a symmetrical and coherent regulatory scheme.” FDA v. Brown & Williamson, 529 U.S. 120, 121, 120 S.Ct. 1291, 146 L.Ed.2d 121 (2000). Plaintiffs appear to argue that Congress intended to categorize consumer information into two distinct groups — identifying information and intrinsically financial information — that parallel the organization of a consumer report. Plaintiffs contend that the identifying information — ’the content of a credit header — is plainly beyond the definition of “personally identifiable financial information,” whereas intrinsically financial information — which plaintiffs equate with the tradeline data — falls within the meaning of the term. The language of other provisions of the GLB Act, however, suggests otherwise. Congress included within the definition of “nonpublic personal information” “any list, description or other grouping of consumers (and publicly available information pertaining to them) that is derived using any nonpublic personal information other than publicly available information.” 15 U.S.C. § 6809(4)(C)(i). In so doing, Congress provided for especially broad privacy protections for all information contained in these lists of consumers that is derived using nonpublic personal information. This is so even where the information is otherwise publicly available: the information is still protected, as long as it was derived using nonpublic personal information. Id. This provision suggests that in drafting the GLB Act, Congress recognized that the status of particular types of information may vary according to the context in which it is used. Information used in or derived from a financial context is nonpublic personal information under § 6809(4)(C)(i); the same information in another context, however, may not be NPI. Thus, it is the context in which information is disclosed — rather than the intrinsic nature of the information itself— that determines whether information falls within the GLB Act. Plaintiffs counter by arguing that the overbreadth of defendants’ definition of “personally identifiable financial information” under § 6809(4)(A) can be shown by comparing it to the definition of “customer information of a financial institution” in 15 U.S.C. § 6827(2). The latter phrase is defined as “[a]ny information maintained by or for a financial institution which is derived from the relationship between the financial institution and a customer of the financial institution and is identified with the customer.” Id. Plaintiffs argue that this difference in language underscores the fact that Congress used different terms because it intended the provisions to have two different meanings. Russello v. United States, 464 U.S. 16, 23, 104 S.Ct. 296, 78 L.Ed.2d 17 (1983); Southwestern Bell Corp. v. FCC, 43 F.3d 1515, 1521-22 (D.C.Cir.1995). Plaintiffs’ argument, however, is not persuasive. “Personally identifiable financial information” comes from Subtitle A of the GLB Act, which governs the disclosure of nonpublic personal information by financial institutions, as defined broadly. See 15 U.S.C. § 6809(3). “Customer information of a financial institution,” on the other hand, is a phrase from Subtitle B of the Act, which addresses fraudulent access to financial information in financial institutions, as defined narrowly. See 15 U.S.C. § 6827(4). These two different subtitles of the Act govern different activities, and use different terms and different definitions of the same terms. “Customer information of a financial institution,” for example, covers only information that is “maintained” by a financial institution; “nonpublic personal information” includes information that is “provided by” consumers. Compare 15 U.S.C. § 6827(2) with § 6809(4)(A)(i). Contrary to plaintiffs’ argument, the Court is unwilling to draw an inference about the plain meaning of a phrase in one subtitle of the Act based on the definition of a phrase used in a separate subtitle that contains different words and different definitions of the same words, and addresses different issues. Finally, the Court notes that an examination of “the history, structure, and underlying policy purpose of the statute,” Bell Atlantic, 131 F.3d at 1048, supports the finding that the meaning of “personally identifiable financial information” is not clear from the GLB Act. Committee reports and legislative debates show that at least two Members of Congress explicitly stated that the type of information contained in credit headers is “personal financial information.” Senator Diane Fein-stein, a co-sponsor of the legislation, noted, “Financial institutions share and sell social security numbers, addresses, information about what stocks we own, what checks we write, what we charge on our credit cards, and how much we have in the bank. All of this without the knowledge or permission of their clients. I believe Americans should have the opportunity to prohibit a financial institution from sharing or selling this personal financial information.” 145 Cong. Rec. S13,903 (daily ed. Nov. 4, 1999) (emphasis added). Another cosponsor, Representative Deborah Pryce, made similar statements during debates in the House. [L]et me ask my colleagues if they are tired of their phone ringing in the middle of dinner only to be solicited for lawn care service. Are they tired of getting so much junk mail that they have to empty their trash twice as often as they used to? Are they tired of their teenagers being solicited for a new credit card every other week? Are they tired of wondering who in the world is giving out their addresses and phone numbers to these strangers? Well, I am, and I am mad as heck about it. So today I am taking the floor to issue a public service warning to all of our constituents: “Mr. and Mrs. America, your personal financial information may be disclosed by your bank to any Tom, Dick, and Harry without your knowledge and without your consent.” 145 Cong. Rep. H5312 (daily ed. July 1, 1999) (statement of Rep. Pryce) (emphasis added). This inclusion of credit header information within the meaning of “financial information” during debates in both Houses of Congress reinforces the finding that the statute cannot be interpreted as argued by plaintiffs would like, but more fairly should be characterized as ambiguous with respect to that term. As a result, defendants’ definition of PIFI does not contradict the plain language of the statute. 2. Chevron Step Two Alternatively, plaintiffs argue that even if the term “personally identifiable financial information” is ambiguous, the regulation still cannot survive scrutiny under step two of Chevron because it “diverges from any realistic meaning of the statute.” Natural Resources Defense Council, Inc. v. Daley, 209 F.3d 747, 753 (D.C.Cir.2000); GTE Serv. Corp. v. FCC, 205 F.3d 416, 421 (D.C.Cir.2000). See City of Cleveland v. U.S. Nuclear Regulatory Comm’n, 68 F.3d 1361, 1367 (D.C.Cir.1995) (providing that an agency’s interpretation must be “reasonable and consistent with the statutory scheme and legislative history”). Plaintiffs assert that defendants’ definition of PIFI is not a “reasonable and permissible construction of the statute,” Daley, 209 F.3d at 754, because it contradicts the GLB Act’s requirement that NPI be both “personally identifiable” and “financial.” In support of this argument, plaintiffs cite GTE Serv. Corp, in which this Circuit struck down an FCC Collocation Order based on the statutory term “necessary.” The Court found the term to be ambiguous, but held that the order was an impermissibly broad construction of the statute because it required collocation of “any and all” equipment rather than just that which was “necessary.” GTE Serv. Corp., 205 F.3d at 424. Like the Collocation Order, plaintiffs argue, defendants’ definition of PIFI has no limits. The Court disagrees with plaintiffs’ analysis. Under the Final Rules, PIFI is, in fact, limited in several ways. The Regulations define PIFI as “any information a consumer provides to [a financial institution] to obtain a financial product or service.” 16 C.F.R. § 313.3(o)(1)(i). Excluded from the definition is information provided to a financial institution for other reasons, such as a sweepstakes entry. PIFI also includes only information about individuals who obtain financial services primarily for family, personal, or household purposes — therefore excluding all information provided by individuals for business purposes. E.g., 16 C.F.R. § 313.1(b). Unlike the order at issue in GTE Serv. Corp., defendants’ regulations have boundaries. As described above, they are also “reasonable and consistent with the statutory purpose,” GTE Serv. Corp., 205 F.3d at 420-21, because they are linked directly to the goal of giving customers of financial institutions control over their personal information. Defendants’ regulations are therefore a permissible construction of the GLB Act under step two of Chevron. In this regard, the Supreme Court’s opinion in Rust is instructive. In Rust, plaintiffs challenged Department of Health and Human Services (“HHS”) regulations that were implemented pursuant to Title X of the Public Health Service Act, 84 Stat. 1506 (codified as amended at 42 U.S.C. §§ 300 to 300a-6 (1994)), which provides federal funding for family planning services. In the subsequent regulations, HHS established a procedure for allocating funds under Title X, and attached three principal conditions to the disbursements to ensure that “none of the funds appropriated under [that] subchapter [would] be used in programs where abortion is a method of family planning.” 42 U.S.C. § 300a-6. Plaintiffs challenged these regulations, and the Supreme Court applied Chevron’s analysis to determine their validity. After disposing of petitioners’ plain language argument, the Court found that “[t]he broad language of Title X plainly allows the [HHS] Secretary’s construction of the statute.” Rust, 500 U.S. at 184, 111 S.Ct. 1759. Moreover, the Court found the legislative history to be “ambiguous with respect to Congress’ intent in enacting Title X.” Id. at 185, 111 S.Ct. 1759. The Court concluded that “[w]hen we find, as we do here, that the legislative history is ambiguous and unenlightening on the matters with respect to which the regulations deal, we customarily defer to the expertise of the agency.” Id. at 186, 111 S.Ct. 1759. Because the Court found that “the Secretary amply justified his ... interpretation with a reasoned analysis, ... [and] having concluded that the plain language and legislative history are ambiguous as to Congress’ intent in enacting Title X, we must defer to the Secretary’s permissible construction of the statute.” Id. at 187, 111 S.Ct. 1759 (internal quotations and citations omitted). Here, as in Rust, both the language of the statute and the legislative history provide no clear answers. But the defendants have justified their constructions with reasoned analysis. The FTC, for example, explained its definition of PIFI by noting that “this approach is consistent with the broad definition of ‘financial institution’ used in the statute.... [Some] commentators consistently suggested that names, addresses, and phone numbers should not be treated as financial information. However, financial institutions rely on a broad range of information that they obtain about consumers, including information such as addresses and telephone numbers .... The Commission concluded that it would be inappropriate to carve out certain items of information that a particular financial institution might rely on when providing a financial product or service.” FTC Final Rule, 65 Fed.Reg. at 33,658. Where, as here, Congress has acted ambiguously and defendants have justified their regulations with careful reasoning and analysis, Rust instructs that the agencies’ construction of the statute is permissible and that the Court must defer to that interpretation. 3. Arbitrary and Capricious. Plaintiffs also argue that the Regulations are arbitrary and capricious and are therefore unlawful. In particular, plaintiffs assert that the definition of “personally identifiable financial information” is arbitrary and capricious because it does nothing to further the express purposes of the GLB Act — that is, that there is no rational connection between the facts found by defendants and the choices they made in promulgating the Regulations. Plaintiffs posit three central arguments in support of their position that defendants’ definition of “personally identifiable financial information” is arbitrary and capricious. First, they contend that defendants’ regulations conflict with their policy arguments about the sanctity of personal information. In particular, plaintiffs argue that consumers are equally susceptible to the risks of identity theft or physical harm, about which defendants have expressed concern, from information acquired by a bank for a sweepstakes — -which defendants admit is not covered by the Regulations— as from that provided for financial services. There is no arbitrariness, however, in the Regulations’ focus on protecting information that consumers are required to provide in order to obtain financial services, rather than information that is volunteered for other purposes, such as sweepstakes. In fact, only the former promotes the stated policy of the GLB Act. See 15 U.S.C. § 6801. Second, plaintiffs argue that all the defendants except the FTC failed to respond to public comments on the proposed definition of “personally identifiable financial information.” In its Final Rule, the FTC noted that “[a]ny information should be considered financial information if it is requested by a financial institution for the purpose of providing a financial product or service.” FTC Final Rule, 65 Fed.Reg. at 33,658. The record reflects that all six of the defendant agencies coordinated their rulemaking efforts, as well as their Final Rules; there is no reason that each of the six defendants should be required to address directly the comments on the proposed definition of PIFI. Because the definitions promulgated by all six agencies are virtually identical, the response of the FTC is sufficient on behalf of all defendants. Finally, plaintiffs contend that the inclusion of credit header information that has been homogenized — that is, stripped of all intrinsically financial information — within the definition of PIFI is arbitrary and capricious. As noted, however, the record reflects that the Regulations are consistent with the GLB Act’s policy of enabling consumers to retain control over the personal information that they are required to provide to financial institutions. Thus, plaintiffs’ arbitrary and capricious challenge must fail. B. Is Trans Union a Financial Institution Subject to Regulation Under the GLB Act? Next, Trans Union contends it is a non-financial institution, and as such, defendants have no authority to regulate it. Specifically, plaintiff argues that CRAs are not financial institutions under the GLB Act, and that Congress intended to give the