REPORT FOR THE
ADMINISTRATIVE CONFERENCE OF THE UNITED STATES

PROTECTED MATERIALS IN PUBLIC RULEMAKING
DOCKETS
Christopher S. Yoo
University of Pennsylvania Carey Law School

This report was prepared for the consideration of the Administrative Conference of the United States. It does not
necessarily reflect the views of the Conference (including its Council, committees, or members).

Recommended Citation
Christopher S. Yoo, Protected Materials in Public Rulemaking Dockets (Nov. 23, 2020) (report to the Admin. Conf.
of the U.S.) [URL forthcoming]

Acknowledgments
Todd Rubin and Reeve Bull of the Administrative Conference offered insightful guidance and
feedback throughout the process of generating this report. Kellen McCoy and Elizabeth Peled
provided expert research assistance. Timothy von Dulm provided outstanding library support.
The research team would welcome suggestions and any corrections, particularly from the
agencies discussed in the draft report.

Abstract
Agencies conducting informal rulemaking proceedings increasingly confront conflicting
duties with respect to protected materials included in information submitted in public rulemaking
dockets. They must reconcile the broad commitment to openness and transparency reflected in
federal law with the duty to protect confidential business information (CBI) and personally
identifiable information (PII) against improper disclosure.
This report presents an analysis of how agencies can best balance these oftencountervailing considerations. Part I explores the legal duties to disclose and withhold
information submitted in public rulemaking dockets placed on agencies by the E-Government
Act of 2002, Executive Order No. 13,563, the Administrative Procedure Act, the Government in
the Sunshine Act, the Privacy Act of 1974, the Trade Secrets Act, and the Freedom of
Information Act. It also examines judicial decisions and other legal interpretations regarding the
proper way to tradeoff these opposing concerns.
Part II explores current agency practices with respect to protected materials. The
assessment of agency practices is based on a survey of notices of proposed rulemaking (NPRMs)
and system of records notices (SORNs) issued by agencies and their web portals accepting
comments on rulemaking proceedings as well as interviews and a roundtable with agency
officials and a survey sent to agencies. All survey answers or interviews are reported
confidentially.
Part III combines the legal analysis and the assessment of agency practices to make a
series of recommendations regarding possible changes to NPRMs, web portals, and agency
guidance and procedures. The recommendations take into account the importance of not
imposing unnecessary burdens on agency staff.

Introduction ..................................................................................................................................... 1
I.
Legal Duties to Disclose and Withhold Protected Materials Submitted in Public
Rulemaking Dockets ........................................................................................................... 3
A.
Legal Duties to Disclose Information ..................................................................... 3
1.
The E-Government Act of 2002 ................................................................. 3
2.
Executive Order No. 13,563 ....................................................................... 4
3.
The Administrative Procedure Act ............................................................. 5
4.
The Government in the Sunshine Act ......................................................... 7
5.
The Freedom of Information Act (FOIA) ................................................... 8
B.
Legal Duties to Withhold Information .................................................................... 9
1.
The Privacy Act of 1974 ........................................................................... 10
2.
The E-Government Act of 2002 ............................................................... 12
3.
The Trade Secrets Act ............................................................................... 15
4.
The Sunshine Act Exemptions .................................................................. 16
5.
The FOIA Exemptions .............................................................................. 16
C.
Interpretive Decisions Balancing the Duties to Disclose and Withhold ............... 19
1.
Decisions Under the Privacy Act .............................................................. 20
2.
Decisions Under the Trade Secrets Act .................................................... 25
3.
Decisions Under the Administrative Procedure Act ................................. 26
4.
Decisions Under the E-Government Act of 2002 ..................................... 27
5.
Decisions Under the Sunshine Act and Its Exemptions............................ 28
6.
Decisions Under FOIA and Its Exemptions.............................................. 29
D.
Synthesizing the Duties and Interpretive Decisions ............................................. 38
II.
Agency Practices with Respect to Disclosing and Withholding Protected Materials in
Rulemaking Dockets ......................................................................................................... 40
A.
Advance Notice of Policies Governing Protected Materials ................................ 41
1.
Notices of Proposed Rulemaking (NPRMs) ............................................. 42
2.
Public Meetings ........................................................................................ 51
3.
Websites .................................................................................................... 52
4.
System of Records Notices (SORNs) ....................................................... 76
5.
Surveys, Negotiated Rulemakings, Ex Parte Communications, and
Regulations ............................................................................................... 87
B.
Type and Frequency of Submission of Protected Materials ................................. 88
1.
Confidential Business Information (CBI) ................................................. 89
2.
Personally Identifiable Information (PII).................................................. 91
C.
Agency Processes for Dealing with Protected Materials ...................................... 93
1.
Frequency of Screening for CBI and PII .................................................. 93
2.
Standards for Screening for CBI and PII .................................................. 95
3.
Procedures for Reviewing Requests for Confidentiality .......................... 98
4.
Techniques for Facilitating Meaningful Public Comment on Protected
Materials ................................................................................................. 101
5.
Procedures for Challenging Decisions to Disclose or Withhold
Protected Materials ................................................................................. 103
III.
Findings and Recommendations ..................................................................................... 105
A.
Recognition of a Strong Default Presumption in Favor of Disclosure ............... 105

B.

The Inclusion of Language in All NPRMs Disclosing Agency Policies
Regarding Protected Materials ............................................................................ 106
C.
The Inclusion of Language on Comment Submission Websites Disclosing
Agency Policies Regarding Protected Materials................................................. 107
D.
The Provision of Guidance on How to Submit Comments Containing
Confidential Information and the Possible Creation of a Process for Online
Submission .......................................................................................................... 108
E.
The Lack of Clear Benefit from Revising SORNs to Include Policies
Regarding Protected Materials ............................................................................ 109
F.
The Lack of Need to Screen Public Rulemaking Dockets for CBI When the
Commenter Has Not Requested Confidentiality................................................. 110
G.
The Need to Screen All Docket Materials for Certain Types of PII, Possibly
Through Computerized Screening ...................................................................... 112
H.
The Benefits of Providing Guidance and Training to Agency Staff About
Standards for Determining What Materials Merit Withholding ......................... 114
I.
The Benefits of Providing Clear Internal and External Guidance on Agency
Procedures for Decisions Regarding Protected Materials .................................. 116
J.
The Proper Use of Redaction, Aggregation, and Anonymization Over Full
Withholding ........................................................................................................ 116
IV.
Conclusion ...................................................................................................................... 118
Appendices .................................................................................................................................. 119
Appendix A: Text of the Survey Sent to Agencies ......................................................... 119
Appendix B: Comparison of NPRM Language on the Disclosure and Withholding of
Protected Materials in Rulemaking Dockets....................................................... 123
Appendix C: Comparison of Language on the Disclosure and Withholding of
Protected Materials in SORNs Regarding Rulemaking Dockets ........................ 126
Appendix D: Model NPRM Language Disclosure and Withholding of Protected
Materials in Rulemaking Dockets ....................................................................... 127
Appendix E: Model Website Language on the Disclosure and Withholding of
Protected Materials in Rulemaking Dockets....................................................... 129

INTRODUCTION
The U.S. government has long embraced a policy of promoting the integration of online
services into the rulemaking process. For example, the E-Government Act of 2002 requires
agencies to accept submissions electronically and to make dockets publicly available
electronically to the greatest extent practicable.1 In addition, Executive Order No. 13,563 charges
agencies with working to enable the public to submit comments through the Internet and to enjoy
timely online access to public rulemaking dockets.2 Administrative Conference Recommendation
2013-4 similarly calls upon agencies to “manage their public rulemaking dockets to achieve
maximum public disclosure.”3
At the same time, the federal government has become increasingly aware of its
responsibilities to protect certain types of information submitted during the rulemaking process
against disclosure. For example, the Privacy Act of 1974 explicitly acknowledges that the
increasing use of computer storage has increased the need to protect personal information held
by the federal government against disclosure.4 The E-Government Act sounds a similar note
when it specifies that online access to government information must be “provide[d] in a manner
consistent with laws regarding protection of personal privacy.”5 Administrative Conference
Recommendation 2013-4 echoes this concern when it advises agencies to “develop a general

1

Pub. L. No. 107-347, § 206(c), (d)(1)–(2), 116 Stat. 2899, 2916 (codified at 44 U.S.C. § 3501 note).
Exec. Order No. 13,563, § 2(a)–(b), 3 C.F.R. § 215 (2012), reprinted in 76 Fed. Reg. 3,821 (Jan. 18, 2011), and 5
U.S.C. § 601 app. at 836–37 (2018).
3
Administrative Conference Recommendation 2013-4: The Administrative Record in Informal Rulemaking 8 ¶ 2,
ADMIN. CONF. U.S. (June 14, 2013),
https://www.acus.gov/sites/default/files/documents/Administrative%20Record%20_%20Final%20Recommendation
%20_%20Approved_0.pdf.
4
Pub. L. No. 93-579, § 2(a)(2), (a)(5), 88 Stat. 1896, 1896, reprinted in 5 U.S.C. § 552a app. at 790 (2018).
5
§ 2(b)(11), 116 Stat. at 2901 (codified at 44 U.S.C. § 3601 note).
2

1

policy regarding treatment of protected or privileged materials,” and disclose those policies to
the public.”6 The Recommendation further advises agencies to “issue guidance to aid personnel
in implementing the above best practices,” addressing, among other things, “management and
segregation of sensitive or protected materials, e.g., copyrighted, classified, protected personal,
or confidential supervisory or business information” and “policies and procedures, if any, for the
protection of sensitive information submitted by the public during the process of rulemaking or
otherwise contained in the rulemaking record.”7
This report examines the relevant legal obligations and current agency practices to offer
an assessment of the best way to achieve both of these considerations simultaneously. Part II
details the competing statutory obligations to disclose and withhold applicable to agencies
performing informal rulemaking and examines the judicial precedent considering how to strike
the proper balance between these two opposing considerations. Part III analyzes current agency
practices with respect to disclosure and withholding as reflected in current notices of proposed
rulemaking (NPRMs), system of record notices (SORNs), disclosures contained in online portals
for submitting comments in rulemaking proceedings, and a survey circulated to agencies. Part III
offers a series of recommendations based on the preceding legal and empirical analysis. Part IV
concludes.

6
7

Administrative Conference Recommendation 2013-4, supra note 3, at 10 ¶ 10.
Id. at 10–11 ¶ 11(e)–(f).

2

I.

LEGAL DUTIES TO DISCLOSE AND WITHHOLD PROTECTED MATERIALS
SUBMITTED IN PUBLIC RULEMAKING DOCKETS
The administrative agencies of the United States are obligated to comply with numerous

and occasionally conflicting legal obligations with respect to disclosure of information submitted
during the rulemaking process. On the one hand, acts such as the E-Government Act of 2002, the
Freedom of Information Act (FOIA), and the Government in the Sunshine Act mandate openness
and disclosure from federal agencies. On the other hand, the Privacy Act and the enumerated
exemptions of FOIA charge agencies with a duty to keep certain personally identifiable
information (PII) and confidential business information (CBI) away from public view. When
administrative agencies make decisions regarding what should and should not be disclosed, they
must balance these competing statutes.
A.

Legal Duties to Disclose Information
Four sources of law directly govern agencies’ direct duties to disclose information during

the rulemaking process: The E-Government Act, Executive Order No. 13,563, the
Administrative Procedure Act, and the Government in the Sunshine Act. The Freedom of
Information Act (FOIA) has an indirect effect on agency disclosure during the rulemaking
process by providing for an independent cause of action that allows citizens to obtain access to
information submitted during the rulemaking process.
1.

The E-Government Act of 2002
Congress enacted the E-Government Act “[t]o enhance the management and promotion

of electronic Government services and processes” and “to enhance citizen access to Government

3

information and services.”8 The statute specified eleven purposes, 9 devoted to “improving
government efficiency, organization, and decision-making”9 and 2 devoted “[t]o provid[ing]
increased opportunities for citizen participation in Government” and “[t]o mak[ing] the Federal
Government more transparent and accountable.”10
To effectuate these goals, Section 206 of the E-Government Act provides that “[t]o the
extent practicable, agencies shall accept submissions” in response to an NPRM “by electronic
means.”11 In addition, “[t]o the extent practicable, as determined by the agency in consultation
with the Director [of the Office of Management and Budget (OMB)], agencies shall ensure that a
publicly accessible Federal Government website contains electronic dockets for rulemakings”
under the APA.12 These “[a]gency electronic dockets shall make publicly available online” “all
submissions” in response to an NPRM and “other material that by agency rule or practice are
included in the rulemaking docket,” again “[t]o the extent practicable as determined by the
agency and the Director.”13
2.

Executive Order No. 13,563
Executive Order No. 13,563,“Improving Regulation and Regulatory Review,” imposed a

number of requirements designed “to improve regulation and regulatory review.”14 Section 1

8

116 Stat. at 2899.
Elec. Privacy Info. Ctr. v. U.S. Dep’t of Commerce, 928 F.3d 95, 98 (D.C. Cir. 2019). For these purposes, see
§ 2(b)(1), (b)(3)–(8), (b)(10)–(11), 116 Stat. at 2901 (codified at 44 U.S.C. § 3601 note).
10
§ 2(b)(2), (b)(9), 116 Stat. at 2901.
11
§ 206(c), 116 Stat. at 2916 (codified at 44 U.S.C. § 3501 note).
12
§ 206(d)(1), 116 Stat. at 2916.
13
§ 206(d)(2), 116 Stat. at 2916.
14
Exec. Order No. 13,563, 3 C.F.R. § 215 (2012), reprinted in 5 U.S.C. § 601 app. at 836–37 (2018).
9

4

establishes “public participation and an open exchange of ideas” as one of the “General
Principles of Regulation.”15
Section 2 provides that “[r]egulations shall be adopted through a process that involves
public participation” and “shall be based, to the extent feasible and consistent with law, on the
open exchange of information and perspectives among State, local, and tribal officials, experts in
relevant disciplines affected stakeholders in the private sector, and the public as a whole.”16 To
effectuate these goals, “each agency . . . shall endeavor to provide the public with an opportunity
to participate in the regulatory process” and “shall afford the public a meaningful opportunity to
comment through the Internet on any proposed regulation.”17 In addition, “each agency shall also
provide, for both proposed and final rules, timely online access to the rulemaking docket on
regulations.gov . . . in an open format that can be easily searched and downloaded.”18
Furthermore, “such access shall include, to the extent feasible and permitted by law, an
opportunity for public comment on all pertinent parts of the rulemaking docket.”19
3.

The Administrative Procedure Act
The Administrative Procedure Act (APA) provides additional statutory guidance as to

what must be made public during a rulemaking. Section 553 requires agencies to publish NPRMs
in the Federal Register20 and give interested persons the opportunity to participate in the
rulemaking process by submitting comments about the proposed rule.21 Moreover, “[a]fter

15

Id. § 1.
Id. § 2(a).
17
Id. § 2(b).
18
Id.
19
Id.
20
5 U.S.C. § 553(b).
21
Id. § 553(c).
16

5

consideration of the relevant matter presented, the agency shall incorporate in the rules adopted a
concise general statement of their basis and purpose.”22
Courts have recognized the critical role that comments and the required responses to
them in the statement of basis and purpose play in making clear “what major issues of policy
were ventilated by the informal proceedings and why the agency reacted to them as it did.”23 The
“degree of public awareness, understanding, and participation commensurate with the
complexity and intrusiveness of the resulting regulations” is what justifies “entrust[ing] the
Agency with wide-ranging regulatory discretion.”24 In Portland Cement, the District of
Columbia Circuit held that during rule-making proceedings, an agency cannot “promulgate rules
on the basis of . . . data that, to a critical degree, is known only to the agency,”25 nor can an
agency promulgate rules without identifying the methodology behind their tests.26
The D.C. Circuit has noted how agencies depend on “an exchange of views, information,
and criticism between interested persons and the agency” and “a dialogue among interested
parties through provisions for comment, reply-comment, and subsequent oral argument” to
inform their decisionmaking.27 That is why the Supreme Court has observed that “the notice-andcomment procedures of the Administrative Procedure Act [are] designed to assure due
deliberation”28 and why the Court regards having undergone the notice-and-comment process as

22

Id.
Auto. Parts & Accessories Ass’n v. Boyd, 407 F.2d 330, 338 (D.C. Cir. 1968); accord U.S. v. Nova Scotia Food
Prods. Corp., 568 F.2d 240, 252 (2d Cir. 1977) (quoting this language from Boyd with approval).
24
Weyerhaeuser v. Costle, 590 F.2d 1011, 1028 (D.C. Cir. 1978); accord id. at 1027–28 (noting that “the degree of
openness, explanation, and participatory democracy required by the APA” is what “‘negate[s] the dangers of
arbitrariness and irrationality in the formulation of rules’” (quoting Boyd, 407 F.2d at 308).
25
Portland Cement Ass'n v. Ruckelshaus, 486 F.2d 375, 326 (D.C. Cir. 1973).
26
Id. at 325.
27
Home Box Off., Inc. v. FCC, 567 F.2d 9, 36, 55 (1977); accord David L. Bazelon, The Impact of the Courts on
Public Administration, 52 IND. L.J. 101, 107–08 (1976) (noting how the “system of peer review and oversight”
provided by the notice-and-comment process plays a key role in improving agency decisionmaking).
28
Smiley v. Citibank (S.D.), N.A., 517 U.S. 735, 741 (1996).
23

6

a key consideration when determining when an agency’s decision will receive Chevron
deference.29
In addition to the direct obligations imposed by 5 U.S.C. § 553, the judicial review
provisions contained in the APA also have an effect on agency disclosure. Section 706 of the
APA authorizes courts to “hold unlawful or set aside agency action . . . found to be arbitrary,
capricious, an abuse of discretion, or otherwise not in accordance with law.”30 The statute further
requires that courts conduct their review on the basis of “the whole record.”31 Courts have held
that “[t]he whole record in an informal rule-making case” includes “comments received.”32
Failure to gather and disclose comments can be a basis for granting a petition for review.33 In
addition, giving others the opportunity to respond to arguments raised in comments or hearings is
“salutary” if not strictly required and makes it more likely that the court will have the full range
of points of view necessary to conduct proper judicial review.34
4.

The Government in the Sunshine Act
The Government in the Sunshine Act “declare[s it] to be the policy of the United States

that the public is entitled to the fullest practicable information regarding the decisionmaking
processes of the Federal Government.”35 As the Senate Report observed, the statute was
designed to ensure that the “government should conduct the public’s business in public.”36 It is

29

United States v. Mead, 533 U.S. 218, 229 (2001).
5 U.S.C. § 706(2)(A).
31
Id. § 706.
32
Rodway, 514 F.2d at 817; accord Administrative Conference Recommendation 2013-4, supra note 3, at 4, 8¶ 1.
33
Citizens to Preserve Overton Park v. Volpe, 401 U.S. 402, 419 (1971); U.S. Lines, Inc. v. Fed. Maritime Comm’n,
584 F.2d 519, 535 (D.C. Cir. 1978); Rodway v. Dep’t of Agric., 514 F.2d 809, 816–17 (D.C. Cir. 1975).
34
Int’l Harvester Co. v. Ruckelshaus, 478 F.2d 615, 632 (D.C. Cir. 1973).
35
Pub. L. No. 94-409, § 2, 90 Stat. 1241, 1241 (1976).
36
S. REP. NO. 94-354, at 1 (1975); see also H.R. REP. NO. 94-880, at 2–4 (1976), reprinted in 1976 U.S.C.C.A.N.
2183.
30

7

based on the belief that “increased openness would enhance citizen confidence in government,
encourage higher quality work by government officials, stimulate well-informed public debate
about government programs and policies, and promote cooperation between citizens and
government,” ultimately “mak[ing] government more fully accountable to the people.”37
As a result, the Sunshine Act requires that agency members generally “jointly conduct or
dispose of agency business” through meetings that are “open to public observation.”38 The Act
went beyond FOIA by omitting a deliberative process exemption and thereby extending
transparency requirements to predecisional deliberations.39
At the same time, the need “to provide the public with such information” must be
balanced against “protecting the rights of individuals and the ability of the Government to carry
out its responsibilities.”40 As a result, the open meeting obligations of the Sunshine Act are
subject to a number of statutory exemptions.41
5.

The Freedom of Information Act (FOIA)
Though FOIA does not directly regulate disclosure during the rulemaking process, it does

provide an independent cause of action that any person can use to require agencies to disclose
information obtained during the rulemaking process. FOIA encourages openness by requiring
agencies to release all records, information, and documents that are not covered by specific
exemptions.42 Not only does it require disclosure of rules of procedure, opinions, interpretations,
and statements of policy in the Federal Register; it mandates that “each agency, upon any

37

Common Cause v. Nuclear Regulatory Comm’n, 674 F.2d 921, 928 (D.C. Cir. 1982).
5 U.S.C. § 552b(b).
39
Common Cause, 674 F.2d at 929.
40
§ 2, 90 Stat. at 1241.
41
5 U.S.C. § 552b(c).
42
Id. § 552.
38

8

request for records . . . shall make the records promptly available to any person” so long as the
request reasonably describes such records and “is made in accordance with published rules . . .
and procedures.”43
The Supreme Court has long recognized that FOIA is “[w]ithout question . . . broadly
conceived” and “seeks to permit access to official information long shielded unnecessarily from
public view and attempts to create a judicially enforceable public right to secure such
information from possibly unwilling official hands.”44 The hope is that more fulsome disclosure
will “‘pierce the veil of administrative secrecy and . . . open agency action to the light of public
scrutiny.’”45 Such transparency will lead to better decisionmaking and “ensure an informed
citizenry, vital to the functioning of a democratic society, needed to check against corruption and
to hold the governors accountable to the governed.”46
B.

Legal Duties to Withhold Information
At the same time that some statutes require agencies to make information related to

agency activity widely available, other statutes and even other sections of same statutes
mentioned above charge agencies with a duty to keep certain CBI and PII from public view: the
Privacy Act of 1974, the privacy provisions of the E-Government Act of 2002, the Trade Secrets
Act, and the exemptions to the Sunshine Act and FOIA.
These statutes and the case law behind them can provide agencies with useful guidance as
to what should be disclosed and what should be withheld during the rulemaking process.

43

Id. § 552(a)(3).
EPA v. Mink, 410 U.S. 73, 80 (1973).
45
Dep’t of Air Force v. Rose 425 U.S. 352, 361 (1976) (quoting the decision below with approval).
46
NLRB v. Robbins Tire & Rubber Co., 437 U.S. 214, 242 (1978).
44

9

Particularly important are the judicial decisions determining what should be disclosed under
FOIA exemptions 4 and 6.
1.

The Privacy Act of 1974
The preamble of the Privacy Act reflects the concern that the growing use of computers

may have an adverse effect on individual privacy. The findings state that “the privacy of an
individual is directly affected by the collection, maintenance, use, and dissemination of personal
information by Federal agencies” and that “the increasing use of computers and sophisticated
information technology, while essential to the efficient operations of the Government, has greatly
magnified the harm to individual privacy that can occur.”47 As a result, “it is necessary and
proper for the Congress to regulate the collection, maintenance, use, and dissemination of
information by such agencies.”48
The statute’s purpose is “to provide certain safeguards for an individual against an
invasion of personal privacy” by, among other things, “permit[ting] an individual to prevent
records pertaining to him obtained by such agencies for a particular purpose from being used or
made available for another purpose without his consent” and “permit[ting] exemptions . . . only
in those cases where there is an important public policy need for such exemption as has been
determined by the specific statutory authority.”49 As the Supreme Court has noted, the Privacy
Act represents Congress’s recognition that “a strong privacy interest inheres in the nondisclosure
of compiled computerized information.”50

47
Privacy Act of 1974, Pub. L. No. 93-579, § 2(a)(1)–(2), 88 Stat. 1896, 1896, reprinted in 5 U.S.C. § 552a app. at
790 (2018); accord H.R. REP. NO. 93-1416, at 7 (1974) (reporting that “[t]he Privacy Act was passed largely out of
concern over “the impact of computer data banks on individual privacy.”).
48
§ 2(a)(5), 88 Stat. at 1896.
49
Id. § 2(b)(2) & (5).
50
U.S. Dep’t of Justice v. Reporters Comm. for Freedom of Press, 489 U.S. 749, 766 (1989).

10

The statute prohibits agencies from “disclos[ing] any record which is contained in a
system of records . . . to any person, or to another agency” without the “prior written consent of,
the individual to whom the record pertains.”51 The statute defines a “record” as:
any item, collection, or grouping of information about an individual that is
maintained by an agency, including, but not limited to, his education, financial
transactions, medical history, and criminal or employment history and that
contains his name, or the identifying number, symbol, or other identifying
particular assigned to the individual, such as a finger or voice print or a
photograph.52
This contrasts with “statistical records,” which are records used “for statistical research or
reporting purposes only” and “not used . . . in making determination about an identifiable
individual.”53
A system of records is a “a group of records . . . from which information is retrieved by
the name of the individual or by some identifying number, symbol, or other identifying particular
assigned to the individual.”54 The statute requires all agencies that maintain a system of records
to publish a system of records notice (SORN) in the Federal Register providing notice to the
public of, among other things, the name and location of the system, “categories of individuals on
whom records are maintained,” the types of records maintained in the system, and agency
procedures where an individual can be notified to change his record.55 In addition, the statute
requires every agency that maintains a system of records to “establish . . . safeguards to insure
the security and confidentiality of records and to protect against any anticipated threats or

51

5 U.S.C. § 552a(b).
Id. at § 552a(a)(4).
53
Id. at § 552a(a)(6).
54
Id. § 552a(a)(5).
55
Id. § 552a(e)(4).
52

11

hazards to their security or integrity which could result in substantial harm, embarrassment,
inconvenience, or unfairness to any individual on whom information is maintained.”56
The Privacy Act’s duty to withhold information is subject to a number of statutory
exemptions, including an explicit exemption for disclosures mandated under FOIA.57 The
Privacy Act provides individuals with a private right of action to enforce any violations of its
terms58 which allows aggrieved plaintiffs to recover “actual damages.”59
2.

The E-Government Act of 2002
In addition to the provisions of the E-Government Act requiring agencies to “modernize

and regulate the government’s use of information technology,” the statute contains other
provisions balancing that interest against the need to protect the privacy interests of individuals.60
Among E-Government Act’s stated purposes is “provid[ing] enhanced access to Government
information and services in a manner consistent with laws regarding protection of personal
privacy, national security, records retention, access for persons with disabilities, and other
relevant laws.”61
To strike the appropriate balance, Section 208 of the E-Government Act (“Privacy
Provisions”) has the stated purpose of “ensur[ing] sufficient protections for the privacy of
personal information as agencies implement citizen-centered electronic Government.”62 It
requires agencies that are “developing or procuring information technology” or “initiating a new

56

Id. § 552a(e)(10).
Id. § 552a(b)(2).
58
Id. § 552a(g)(1).
59
Id. § 552a(g)(4)(A); accord Doe v. Chao, 540 U.S. 614 (2004).
60
Elec. Privacy Info. Ctr. v. U.S. Dep’t of Commerce, 928 F.3d 95, 98 (D.C. Cir. 2019).
61
§ 2(b)(11), 116 Stat. at 2901 (codified at 44 U.S.C. § 3601 note).
62
§ 208(a), 116 Stat. at 2921 (codified at 44 U.S.C. § 3501 note).
57

12

collection of information” to conduct “privacy impact assessments” that are reviewed the
agency’s Chief Information Officer and made publicly available.63 Agencies typically completed
these privacy impact assessments when they switched to using Regulations.gov to collect
comments.64 The statute further requires the OMB Director to develop guidelines for privacy
notices on agency websites.65 Courts have observed that, unlike FOIA, “Section 208 was not
designed to vest a general right to information in the public. Rather, the statute was designed to
protect individual privacy by focusing agency analysis and improving internal agency decisionmaking.”66 Thus, Section 208 does not create a private right of action.67
The E-Government Act also contains provisions regarding the protection of personal
information contained in court filings that, while not directly applicable, may provide useful
guidance regarding practices to protect privacy interests. Section 205 provides that “the Supreme
Court shall prescribe rules . . . to protect privacy and security concerns relating to electronic
filing of documents and the public availability . . . of documents filed electronically” and
authorized the Judicial Conference to issue interim rules.68 “To the extent that such provide for
the redaction of certain categories of information in order to protect privacy and security
concerns, such rules shall provide that a party that wishes to file an otherwise proper document
containing such information may file an unredacted document under seal, which shall be retained

63

Id. § 208(b)(1)(A)(i)–(ii), (b)(1)(B); see also OFF. OF MGMT. & BUDGET, OMB GUIDANCE FOR IMPLEMENTING
THE PRIVACY PROVISIONS OF THE E-GOVERNMENT ACT OF 2002 (2003).
64
For an example of a Privacy Impact Assessment, see U.S. ENVTL. PROT. AGENCY, PRIVACY IMPACT ASSESSMENT
FOR THE FEDERAL DOCKET MANAGEMENT SYSTEM/ERULEMAKING (2012), available at
https://www.epa.gov/sites/production/files/2014-03/documents/erulemaking-pia_0.pdf.
65
§ 208(c), 116 Stat. at 2923.
66
Elec. Privacy Info. Ctr, 928 F.3d at 103.
67
See, e.g., Elec. Privacy Info. Ctr. v. Presidential Advisory Comm’n on Election Integrity, 266 F. Supp. 3d 297,
315 (D.D.C. 2017).
68
Id. § 205(c)(3)(A)(i), (c)(3)(B)(i), 116 Stat. at 2914 (codified at 44 U.S.C. § 3501 note).

13

by the court as part of the record.”69 The Court fulfilled this responsibility through additions to
the Federal Rules of Civil Procedure, Federal Rules of Criminal Procedure, Federal Rules of
Bankruptcy Procedure, and rules adopted by specialized courts.70
The implementation of Section 205 required the Supreme Court to use its authority to
“prescribe rules . . . to protect privacy and security concerns relating to electronic filing of
documents and the public availability under this subsection of documents filed electronically.”71
The rules of civil procedure, criminal procedure, and bankruptcy procedure and the rules adopted
by specialized courts created to fulfill this responsibility follow largely the same form. All of
these rules provide that electronic or paper filings “contain[ing] an individual’s social security
number, taxpayer-identification number, birthday, name of an individual known to be a minor, a
financial account number, or home address of an individual” may include only:
•
•
•
•

the last four digits of the social-security number and taxpayer-identification
number;
the year of the individual’s birth;
the minor’s initials; and
the last four digits of the financial-account number.72

The Federal Rules of Criminal Procedure also permit the inclusion of a fifth type of
information: “the city and state of the home address.”73 For Social Security and immigration
cases, electronic access is limited to the parties and their attorneys, with others having to consult
the full record at the courthouse.74 The obligation to redact applies even when individuals whose

69

Id. § 205(c)(3)(A)(iv).
FED. R. CIV. P. 5.2; FED. R. CRIM. P. 49.1; FED. R. BANKR. P. 9037; FED. CL. R. 5.2; CT. INT’L TRADE R. 5.2.
71
§ 205(c)(3), 116 Stat. at 2914 (codified at 44 U.S.C. § 3501 note).
72
FED. R. CIV. P. 5.2(a); FED. R. CRIM. P. 49.1(a)(1)–(4); FED. R. BANKR. P. 9037(a); FED. CL. R. 5.2(a); CT. INT’L
TRADE R. 5.2(a).
73
FED. R. CRIM. P. 49.1(a)(5).
74
FED. R. CIV. P. 5.2(c) (establishing this rule for Social Security appeals and immigration cases); FED. R. CRIM. P.
49.1(c) (providing that immigration cases be governed by Federal Rule of Civil Procedure 5.2).
70

14

PII is included in the filing have not requested redaction and may not even be aware of the
filing.75
The rule provides a few exemptions where redaction is not necessary, including the
“record of an administrative or agency proceeding.”76 People making the filing have the option
to file an unredacted copy under seal.77 Courts may also “order that a filing be made under seal
without redaction,” “require redaction of additional information” or “limit or prohibit a
nonparty’s remote electronic access to a document filed with the court.”78 The Advisory
Committee for the Federal Rules of Criminal Procedure noted that it was wary of attempts to
fully seal the records.79
3.

The Trade Secrets Act
In contrast to the other statutes already discussed in this section, which protect PII, the

Trade Secrets Act guards against the disclosure of CBI. This provision was initially enacted in
1864 to prevent revenue officials from “divulg[ing] . . . the operations, style of work or apparatus
of any manufacturer or producer visited by him in the discharge of official duties.”80 It was
amended in 1930 to refer directly to “trade secrets or processes”81 and was consolidated in 1948
with similar provisions applying to the Tariff Commission and the U.S. Department of
Commerce (DOC) to form a single provision covering all federal officials.82

75

Cline v. Ballard, 528 F. Supp. 2d 634, 636 (S.D. W.Va. 2007).
FED. R. CIV. P. 5.2(b)(2); FED. R. CRIM. P. 49.1(b)(2); FED. R. BANKR. P. 9037(b)(2); ); FED. CL. R. 5.2(b)(2).
77
FED. R. CIV. P. 5.2(f); FED. R. CRIM. P. 49.1(f); FED. R. BANKR. P. 9037(e); FED. CL. R. 5.2(f); CT. INT’L TRADE
R. 5.2(d).
78
FED. R. CIV. P. 5.2(d)–(e); FED. R. CRIM. P. 49.1(d)–(e); FED. R. BANKR. P. 9037(c)–(d); ); FED. CL. R. 5.2(d)–(e);
CT. INT’L TRADE R. 5.2(b)(c).
79
FED. R. CRIM. P. 49.1, advisory committee’s note; accord Crossman v. Astrue, 714 F. Supp. 2d 284, 290 (D.
Conn. 2009).
80
Revenue Act of 1864, ch. 173, § 38, 13 Stat. 223, 238.
81
Tariff Act of 1930, ch. 497, § 335, 46 Stat. 590, 701.
82
Act of June 25, 1948, ch. 645, § 1905, 62 Stat. 683, 791.
76

15

The Trade Secrets Act makes it a federal crime for federal officers or employees to
“publish[], divulge[], disclose[], or make[] known in any manner” information “concern[ing] or
relat[ing] to the trade secrets, processes, operations, style of work, or apparatus, or to the
identity, confidential statistical data, amount or source of any income, profits, losses, or
expenditures of any person, firm, partnership, corporation, or association” that they come across
during the course of their official duties.83 Importantly, this prohibition applies only to
disclosures “not authorized by law.”84 The Trade Secrets Act does not create a private right of
action.85
4.

The Sunshine Act Exemptions
The Sunshine Act, like other statutes mentioned, contains several exemptions.

Specifically, Exemption 4 authorizes the withholding of “trade secrets and commercial or
financial information obtained from a person and privileged or confidential,” and Exemption 6
allows the withholding of “information of a personal nature where disclosure would constitute a
clearly unwarranted invasion of personal privacy.”86 The language of these exemptions mirror
the FOIA exemptions discussed below.
5.

The FOIA Exemptions
The Supreme Court has recognized that “[a]t the same time that a broad philosophy of

‘freedom of information’ is enacted into law, it is necessary to protect certain equally important

83

18 U.S.C. § 1905.
Id.
85
Chrysler Corp. v. Brown, 441 U.S. 281, 316–17 (1979).
86
5 U.S.C. § 552b(c)(4) & (6).
84

16

rights of privacy with respect to certain information in Government files.”87 Thus, to protect the
“legitimate governmental and private interests could be harmed by release of certain types of
information,”88 FOIA includes nine specific exemptions delineating circumstances under which
disclosure can be refused.89
The existence of these exemptions should “not obscure the basic policy that disclosure,
not secrecy, is the dominant objective of the Act.”90 Accordingly, the statute specifies that these
exemptions are comprehensive91 and that “the burden is on the agency to sustain its action.”92 To
further promote disclosure, the Supreme Court has approved of establishing discrete categories
of exempt information, as opposed to a case by case analysis.93 FOIA is thus a “scheme of
categorical exclusion” that does “not invite a judicial weighing of the benefits and evils of
disclosure on a case-by-case basis.”94 And the Supreme Court has repeatedly emphasized that the
categories created by these exemptions “must be narrowly construed,”95 thought it cannot
“arbitrarily restrict” exemptions by adding additional limitations not found within the language
of FOIA.96

87

S. REP. NO. 89-813, at 3 (1965).
FBI v. Abramson, 456 U.S. 615, 621 (1982).
89
5 U.S.C. § 552(b)(1)–(9).
90
Rose, 425 U.S., at 361.
91
5 U.S.C. § 552(d) (noting in the Act should be read to “authorize withholding of information or limit the
availability of records to the public, expect as specifically stated”).
92
Id. § 552(a)(4)(B).
93
U.S. Dep’t of Justice v. Reporters Comm. for Freedom of Press, 489 U.S. 749, 799 (1989).
94
Abramson, 456 U.S. at 631.
95
Id. at 630; Rose, 425 U.S. at 361.
96
Food Mktg. Inst. v. Argus Leader Media, 139 S. Ct. 2356, 2366 (2019).
88

17

a.

Exemption 4

Exemption 4 protects “trade secrets and commercial or financial information obtained
from a person and privileged or confidential.”97 The Senate Committee on the Judiciary stated
that Exemption 4 would cover “business sales statistics, inventories, customer lists, and
manufacturing processes” and “information which is given to an agency in confidence, since a
citizen must be able to confide in his Government.”98 “[W]here the Government has obligated
itself in good faith not to disclose documents or information which it receives,” they declared, “it
should be able to honor such obligations.”99 As explored below in section I.C.6, the Supreme
Court recently clarified some of these obligations in Argus Leader.
In 1987, President Reagan issued Executive Order 12,600, which required all agencies
subject to FOIA to promulgate regulations to give certain procedural protections to those
submitting “confidential commercial information.”100 In particular, agency heads must establish
procedures to allow the submitters of confidential commercial information to designate what
information would cause the submitted “substantial competitive harm” if disclosed.101 If such
information is FOIA requested, the agency must then notify the submitter.102 Notably, however,
the notice requirements need not be followed if “the information has been published or has been
officially made available to the public” or if “the information requested is not designated by the
submitter as exempt from disclosure” even though the submitter had an opportunity to do so.103

97

5 U.S.C. § 552(b)(4).
S. REP. NO. 89-813, at 44 (1965).
99
Id.
100
Exec. Order No. 12,600, 3 CFR 235 (1987).
101
Id.
102
Id.
103
Id.
98

18

b.

Exemption 6

Exemption 6 covers “personnel and medical files and similar files the disclosure of which
would constitute a clearly unwarranted invasion of personal privacy.”104 The primary purpose of
Exemption 6, as indicated by the legislative history, was “to protect individuals from the injury
and embarrassment that can result from the unnecessary disclosure of personal information.”105
Though Exemption 6 explicitly refers to types of files, the Court has also held that “Exemption
6's protection is not determined merely by the nature of the file containing the requested
information.”106 Information should not lose the protection of Exemption 6 merely because they
are stored in different types of files than personnel and medical.107
For information to be exempted from FOIA under Exemption 6, it must be included in
personnel, medical, or “similar files.”108 Similar files includes “government records on an
individual which can be identified as applying to that individual.”109 This includes email
addresses.110 If the information is contained within a “similar file,” courts then consider whether
or not the disclosure would amount to an “unwarranted invasion of privacy.”111
C.

Interpretive Decisions Balancing the Duties to Disclose and Withhold
The foregoing sections underscore the legal duties to disclose and withhold information

that agencies overseeing the rulemaking process must take into account. Fortunately, judicial

104

5 U.S.C. § 552(b)(6).
U.S. Dep’t of State v. Wash. Post, 456 U.S. 595, 595 (1982).
106
Id.
107
Id.
108
5 U.S.C. § 552(b)(6).
109
Prechtel v. FCC, 330 F. Supp. 3d 320, 329 (D.D.C. 2018).
110
Id.
111
U.S. Dep’t of Def. v. Fed. Labor Relations Auth., 510 U.S. 487, 495 (1994).
105

19

decisions interpreting these legal obligations provide useful insights into how to strike the proper
balance between these two considerations.
1.

Decisions Under the Privacy Act
The Supreme Court has noted that the Privacy Act reflects “Congress’ basic policy

concern regarding the implications of computerized data banks for personal privacy.”112 Four
aspects of Privacy Act jurisprudence help inform the scope of agencies’ duties to disclose or
withhold personal information submitted in rulemaking processes.
a.

Records

Judicial interpretation of what constitutes “records” protected by the statute provides
insights into what types of information agencies should protect. The Supreme Court has never
provided any guidance as to what constitutes a record for purposes of the Privacy Act, although
it has stated without elaboration that addresses are records113 and has accepted the government’s
concession that the disclosure of Social Security numbers without consent violated the Privacy
Act.114
Lower courts have taken a variety of approaches to construing what constitutes a record.
Some courts have construed the term narrowly. For example, the D.C. Circuit has parsed the
definition of record carefully, holding that the plain language of the statute requires that the
record contain “information about an individual . . . and that contains his name” or other
identifying information to conclude that the statute requires that information be “about” an

112

Reporters Comm. for Free Press, 489 U.S. at 766.
U.S. Dep’t of Def., 510 U.S. at 494.
114
Doe v. Chao, 540 U.S. 614, 617 (2004).
113

20

individual in order to be a record.115 If simply containing a person’s name or address were
sufficient, the first clause would be surplusage.116 The Ninth and Eleventh Circuits have held
(without much analysis) that information must reflect some “quality or characteristic” about an
individual in order to be a record.117
Other courts have construed the term broadly.118 The Third Circuit has held that the term
record “encompass[es] any information about an individual that is linked to that individual
through an identifying particular.”119 The Fourth Circuit has similarly held that “a ‘record’ was
meant to ‘include as little as one descriptive item about an individual.’”120 The Second Circuit
largely agreed with the Third Circuit, holding that records under the Privacy Act include “at the
very least, any personal information ‘about an individual that is linked to that individual through
an identifying particular’” and specifically rejecting the approaches taken by the D.C., Ninth, and
Eleventh Circuits.121 Regardless of the standard used, courts have held that contact
information122 and emails123 constitute records under the Privacy Act.

115

Tobey v. NLRB, 40 F.2d 469, 471 (D.C. Cir. 1994).
Id.
117
Unt v. Aerospace Corp., 765 F.2d 1440, 1449 (9th Cir. 1985); Boyd v. Secretary of the Navy, 709 F.2d 684, 686
(11th Cir. 1983).
118
See Williams v. Dep’t of Veterans Affairs, 104 F.3d 670, 673 (4th Cir. 1997) (“In general, courts have been
lenient in determining what information constitutes a “record” within the meaning of the Act.”).
119
Quinn v. Stone, 978 F.2d 126, 133 (3d Cir. 1992).
120
Williams v. Dep’t of Veterans Affairs, 104 F.3d 670, 674 (4th Cir. 1997) (quoiting Analysis of House and Senate
Compromise Amendments to the Federal Privacy Act, reprinted in LEGISLATIVE HISTORY OF THE PRIVACY ACT OF
1974: SOURCE BOOK ON PRIVACY 866 (1976)).
121
Bechhoefer v. U.S. Dep’t of Justice Drug Enf’t Admin., 209 F.3d 57, 60–63 (2d Cir. 2000) (quoting Quinn, 978
F.2d at 133).
122
Williams v. Shinseki, 161 F. Supp. 3d 91, 94 (D.D.C. 2012).
123
Rivera v. Potter, 400 F. Supp. 2d 404, 409 (D.P.R. 2005).
116

21

b.

System of Records

The Privacy Act protects only those records contained in a “system of records,” defined
as “a group of records . . . from which information is retrieved by the name of the individual or
by some identifying number, symbol, or other identifying particular assigned to the
individual.”124
Courts have added three important guideposts for determining what constitutes a system
of records. First, information about one individual contained in a record about another individual
is not contained in a system of records.125 For example, information about Jane Doe contained in
a record about John Smith is not a system of records because that information would not be
retrieved by Jane Doe’s name unless the agency had “devised and used an indexing capability”
where they could search other individuals’ files for her name .126
Second, the mere capability of retrieving information about individuals by their name is
not sufficient to turn a group of records into a system of records. The agency must follow an
actual practice of retrieving information by an individual’s name.127 This is an evidentiary
standard—to prove there is a system of records, the plaintiff bringing a Privacy Act claim must
provide evidence that the agency “in practice retrieves information about individuals by
reference to their names.”128
Third and relatedly, whether a group of records is a system of records depends on
whether the agency has gathered the information for the purpose of retrieving information by

124

5 U.S.C. § 552a(a)(5).
Baker v. Dep’t of the Navy, 814 F.2d 1381, 1383 (9th Cir. 1987).
126
Id.
127
Henke v. U.S. Dep’t of Commerce, 83 F.3d 1453, 1459–61 (D.C. Cir. 1996); Baker, 814 F.2d at 1383–84.
128
Henke, 83 F.3d at 1461.
125

22

name.129 On the one hand, a database about individuals compiled by a law enforcement agency
for the purpose of investigating crimes that would be routinely queried by name would clearly be
a system of records; on the other hand, information contained in applications and reviews
gathered to implement a grant-making program would not.130 A small number of ad hoc
retrievals by name will not necessarily transform a group of records into a system of records,
although some level of such retrievals clearly will.131
To date, no court has directly addressed whether comments submitted in rulemaking
processes constitute a system of records, and commentators have split on the issue.132 That said,
the fact that EPA has previously filed a SORN for Regulations.gov and other agencies have filed
SORNs for their systems for managing rulemaking dockets implicitly recognizes that these
systems could constitute systems of records for purposes of the Privacy Act.133
c.

Consent

The Privacy Act specifically permits disclosure of information with the “prior written
consent of[] the individual to whom the record pertains.”134

129

Id.
Id.
131
Id.
132
Compare Daniel F. Solomon, Save the Social Security Disability Trust Fund! And Reduce SSI Exposure to the
General Fund, 36 J. NAT’L ASS’N ADMIN. L. JUDICIARY 142, 222 (2016) (arguing that rulemaking documents are
not systems of records under the Privacy Act), with Bridget C.E. Dooling, Legal Issues in E-Rulemaking, 63 ADMIN.
L. REV. 893, 909 (2011) (arguing that the Federal Docket Management System that provides agency staff with
access to content on Regulations.gov is a system of records under the Privacy Act).
133
See infra Part II.A.4. Note that in 2019, the General Services Administration took over as the new managing
partner of the e-Rulemaking Program, including the Federal Docket Management System and Regulations.gov.
While the GSA has filed a SORN related to its new management, the SORN is only for “partner agencies' users'
names, government issued email addresses, telephone numbers, and passwords as credentials. In addition, users
provide their supervisor's name, telephone number, and government issued email address.” Privacy Act of 1974;
System of Records, 84 Fed. Reg. 53,728 (2019). The SORN does not cover any records “pertaining to agency
rulemakings.” Id.
134
5 U.S.C. § 552a(b).
130

23

d.

The Exemption for Disclosures Mandated by FOIA

As explained above, the Privacy Act’s bar against disclosure contains a number of
statutory exemptions. Most importantly, the statute authorizes disclosure when required under
FOIA.135 For example, while the Privacy Act would generally protect the home addresses of
unionized employees that federal agencies like the Department of Defense keep in a system of
records, if FOIA mandated disclosure the Privacy Act would no longer protect such
information.136 Similarly, email addresses collected through commenting websites may be
susceptible to FOIA disclosure, even if they would generally be protected by the Privacy Act.
e.

Analysis

Together these considerations suggest that the Privacy Act is unlikely to impose any
direct constraints or obligations on the way agencies handle personal information contained in
comments submitted in public rulemaking dockets. Whether names, addresses, email addresses,
and contact information are likely to be considered records arguably depends on which circuit’s
law applies. That said, repositories of comments are unlikely to constitute systems of records to
the extent they are not collected for the purpose of retrieving them by name and are not routinely
retrieved by name in practice.
More importantly, other considerations provide a clear path for agencies to avoid any
liability under the Privacy Act for any personal information contained in comments submitted in
rulemaking procedures. The fact that consent makes any disclosure permissible allows agencies
simply to post prominent notices on Regulations.gov or other comment websites explaining that

135

Id. § 552(b)(2); accord U.S. Dep’t of Def. v. Fed. Labor Relations Auth., 510 U.S. 487, 494 (1994); Greentree v.
U.S. Customs Serv., 674 F.2d 74, 75 (D.C. Cir. 1982).
136
See U.S. Dep’t of Def., 510 U.S. at 494.

24

all submitted comments will be made available to the public. In addition, the provision providing
that the Privacy Act’s prohibitions do not apply to any disclosures mandated by FOIA means that
agencies can ensure that they comply with the Privacy Act by complying with the requirements
of FOIA, thus effectively eliminating the Privacy Act as an independent source of liability.
2.

Decisions Under the Trade Secrets Act
A key issue confronting agencies handling CBI is how to balance the Trade Secrets Act’s

mandate of withholding CBI with FOIA’s policy of broad disclosure. The legislative history
generated when the Sunshine Act amended FOIA Exemption 3137 provides important guidance
on how to read these statutes together:
[T]he Trade Secrets Act, 18 U.S.C. § 1905, which relates only to the disclosure of
information where disclosure is “not authorized by law,” would not permit the
withholding of information otherwise required to be disclosed by the Freedom of
Information Act, since the disclosure is there authorized by law. Thus, for
example, if material did not come within the broad trade secrets exemption
contained in the Freedom of Information Act, section 1905 would not justify
withholding . . ..138
This language provides a straightforward way to reconcile these statutes. In the words of
the First Circuit, “if the government cannot prove that the requested documents are within FOIA
Exemption 4, their disclosure will not violate section 1905. If the documents are found to be
exempt from disclosure under the FOIA, they will not be disclosed and no question will arise

137

Exemption 3 of FOIA allows withholding of information” prohibited from disclosure by another federal statute”
in certain instances. For example, 26 U.S.C. § 6103 prevents the Internal Revenue Services from disclosing certain
tax information, including Taxpayer Identification Numbers. Church of Scientology v. Internal Revenue Services,
484 U.S. 9, 15 (1987). If a statute either “requires that” matters be withheld with no discretion or “establish
particular criteria for withholding or refer[] to particular types of matters to be withheld,” such information is
exempt from FOIA. 5 U.S.C. § 552(b)(3). For the purposes of this project, if there is any other type of specific
statute requiring the withholding of information, such information can be exempt from FOIA requests.
138
H.R. REP. NO. 94-880, pt. 1, at. 23 (1976), reprinted in 1976 U.S.C.C.A.N. 2183, 2205.

25

under section 1905.”139 The Supreme Court has recognized that the slight differences in the
language of the Trade Secrets Act and FOIA Exemption 4 leaves open the “theoretical possibility
that material might be outside Exemption 4 yet within the substantive provisions of § 1905.”140
The Court noted, however, “that possibility is at most of limited practical significance in view of
the similarity of the language between Exemption 4 and the substantive provisions of § 1905.”141
Thus, as was the case with the Privacy Act, an analysis of agencies’ duties under FOIA
effectively resolves the scope of the duties to withhold information under the Trade Secrets Act.
Information that must be disclosed under FOIA is necessarily not prohibited from disclosure
under the Trade Secrets Act.
3.

Decisions Under the Administrative Procedure Act
As noted above, the APA imposes affirmative obligations on agencies to disclose

information. At the same time, courts have recognized the need to balance this obligation against
the need to protect CBI.
The D.C. Circuit’s decision in HBO v. FCC presented both sides of the balance. On the
one hand, the process of “comment, reply-comment, and subsequent oral argument” seen as
critical to assuring sound administrative decisionmaking requires that the public have broad
access to the comments submitted during rulemaking proceedings.142 At the same time, the HBO
court found it “conceivable that trade secrets or information affecting national defense, if
proffered as the basis for rulemaking, should be kept secret.”143 The Second Circuit, while

139

9 to 5 Org. for Women Off. Workers v. Bd. of Governors of Fed. Reserve Sys., 721 F.2d 1, 12 (1st Cir. 1983).
Chrysler Corp. v. Brown, 441 U.S. 281, 319 n.49 (1979).
141
Id.
142
Home Box Office, Inc. v. FCC, 567 F.2d 9, 55 (1977).
143
Id. at 57 n.130.
140

26

recognizing the need for disclosure of the research on which an agency based its rule, also
parenthetically recognized “an exception for trade secrets or national security.”144 A later D.C.
Circuit decision was less equivocal: “Of course, an agency may decline to include confidential
business information in the public administrative record in certain narrow situations, as long as it
discloses as much information publicly as it can.”145 Consistent with this observation, the
Seventh Circuit upheld an agency decision based in part on a spreadsheet locked into a particular
configuration so long as it gave commenters reasonable opportunity to engage with the data.146
These decisions indicate that agencies have some latitude to withhold CBI in appropriate
circumstances without violating the APA. Agencies exercising this discretion should strive to
disclose as much information as possible and provide sufficient information to permit the public
to respond meaningfully to the proposed agency action.
4.

Decisions Under the E-Government Act of 2002
The E-Government Act of 2002 attempts to strike a balance between the need for

openness and disclosure and the need to protect privacy, with a statutory purpose “[t]o provide
enhanced access to Government information and services in a manner consistent with laws
regarding protection of personal privacy.”147 The lack of a private cause of action means that
there are no cases interpreting agencies’ obligations under Section 208 of the Act. The rules that
Section 205 required the Supreme Court to issue provide some insight into how the courts would
protect certain types of information.148

144

U.S. v. Nova Scotia Food Prods. Corp., 568 F.2d 240, 251 (2d Cir. 1977).
Flyers Rights Educ. Fund, Inc. v. FAA, 864 F.3d 738, 745 (D.C. Cir. 2017).
146
Zero Zone, Inc. v. U.S. Dep’t of Energy, 832 F.3d 654, 670–71 (7th Cir. 2016).
147
§ 2(b)(11), 116 Stat. at 2901 (codified at 44 U.S.C. § 3601 note).
148
See supra notes 71–79 and accompanying text.
145

27

Case law applying these rules have held that credit card claimholders may proceed
without disclosing “a debtor’s full account number”149 and precluded disclosure of Social
Security numbers under the National Voter Registration Act.150 Courts have often been hesitant
to redact information not listed in the rule. For example, the Court of Federal Claims case
granted a request to redact a minor child’s birthdate and to reduce the child’s name to initials, but
denied a request to redact all medical information.151
These rules are not binding on agencies. Indeed, the exemption for records of
administrative of agency proceedings largely dictates that the contents of public rulemaking
dockets largely fall outside their scope. That said, the scope of the judicial redaction
requirements can provide useful guidance to agencies attempting to manage the scope of
disclosure and withholding in public rulemaking dockets. In particular, it highlights the
importance of protecting Social Security numbers, birthdates, financial account numbers, and
addresses and the potential benefits of giving those submitting information the option of
submitting both public copies and redacted copies under seal.
5.

Decisions Under the Sunshine Act and Its Exemptions
The Government in the Sunshine Act strikes a balance between openness in government

on the one hand and “legitimate governmental and private interests could be harmed by release
of certain types of information” on the other.152 Because the statute proceeds from a strong

149

In re Burkett, 329 B.R. 820, 831 (Bankr. S.D. Ohio 2005).
See Project Vote/Voting For Am., Inc. v. Long, 752 F. Supp. 2d 697, 711–12 (E.D. Va. 2010) (citing the EGovernment Act as support for the proposition that “SSNs are uniquely sensitive and vulnerable to abuse, such that
a potential voter would understandably be hesitant to make such information available for public disclosure”).
151
Langland ex rel. M.L. v. Sec’y of Health & Human Servs., No. 07-36V, 2011 WL 802695, at *10 (Fed. Cl. Feb.
3, 2011).
152
McKinley v. FDIC, 756 F. Supp. 2d 105, 113 (D.D.C. 2010) (internal quotation marks omitted).
150

28

presumption that agency meetings should be held in the open, a meeting can be held in private
only if holding it in public would disclose information falling within one of the statutory
exemptions, with the agency bearing the burden of proof of showing the need to withhold and
with the exemptions being narrowly construed.153 Even when one of the exemptions applies,
only the portion of the meeting in which that information is disclosed can be held in private, with
the remainder of the meeting having to be held in open session.154
Because the Sunshine Act exemptions are nearly identical to the FOIA exemptions,
courts interpret the parallel exemptions in both statutes according to the same principles and have
cited judicial precedent interpreting the parallel provision in each statute interchangeably.155
Thus, as was the case with the Privacy Act and the Trade Secrets Act, interpretation of the
Sunshine Act exemptions will likely follow the jurisprudence on the FOIA exemptions.
6.

Decisions Under FOIA and Its Exemptions
The most instructive body of law to provide interpretive guidance as to how to strike the

proper balance between disclosure and withholding is the corpus of judicial opinions interpreting

153

Common Cause v. Nuclear Regulatory Comm’n, 674 F.2d 921, 928–29 (D.C. Cir. 1982); see also McKinley, 756
F. Supp. 2d at 113, 115 (construing the Sunshine Act and FOIA exemptions together).
154
Common Cause, 674 F.2d at 929.
155
See id. at 929 & n.21 (noting that
“[i]n general, the Sunshine Act's exemptions parallel those in the Freedom of Information Act (FOIA)” and that
“[o[f the nine exemptions to the Freedom of Information Act, seven are included virtually verbatim in the Sunshine
Act”); Jordan v. U.S. Dep’t of Justice, 591 F.2d 753, 770 (D.C. Cir. 1978) (holding that the Sunshine Act
exemptions and the FOIA exemptions to be in pari materia).
On Exemption 4, see McKinley, 756 F. Supp. 2d at 114 (noting that “FOIA’s Exemption 4 and the
Sunshine Act’s Exemption 4 . . . are identical” and invoking FOIA decisions as precedent in Sunshine Act cases).
On Exemption 6, see Applicability of the Fed. Advisory Comm. Act to Nat’l Endowment for Humanities, 4B Op.
O.L.C. 743, 747 n.8 (1980) (“The balancing analysis required under the Sunshine Act’s privacy exemption, 5 U.S.C.
§ 552b(c)(6), is essentially similar to that required under the privacy exemption of the Freedom of Information Act,
5 U.S.C. § 552(b)(6), except that the latter, dealing with records involves the additional issue whether a document is
the type of ‘file’ covered by the exemption.”).

29

the FOIA exemptions. In addition, as noted earlier, the proper interpretation of FOIA largely
drives the results under the Privacy Act, the Trade Secrets Act, and the Sunshine Act.
The Supreme Court has recognized that FOIA’s “basic purpose reflected ‘a general
philosophy of full agency disclosure unless information is exempted under clearly delineated
statutory language.’”156 FOIA’s structure, which provides for a general duty to disclose cabined
by strictly limited exemptions, “represents a carefully considered balance between the right of
the public to know what their government is up to and the often compelling interest that the
government maintains in keeping certain information private.157 As a result, FOIA mandates a
“strong presumption in favor of disclosure [that] places the burden on the agency to justify the
withholding of any requested documents.”158 As noted earlier, the exemptions are considered
comprehensive and narrowly construed.
In addition, Congress has “repeated[ly] reject[ed] any interpretation of the FOIA which
would allow an agency to withhold information on the basis of some vague ‘public interest’
standard.”159 Instead, the Supreme Court has approved of establishing discrete categories of
exempt information, as opposed to determining the scope of particular exemptions on a case-bycase analysis.160 FOIA is a “scheme of categorical exclusion; it did not invite a judicial weighing
of the benefits and evils of disclosure on a case-by-case basis.”161
In some instances, agencies can still use their discretion to disclose information under
FOIA even if such information is covered by an exemption. The application of FOIA exemptions

156

Dep’t of Air Force v. Rose, 425 U.S. 352, 360–61 (1976) (quoting S. REP. NO. 89-813, at 3 (1965)).
John Doe Agency v. John Doe Corp., 493 U.S. 146, 152–53 (1989).
158
U.S. Dep’t of State v. Ray, 502 U.S. 164, 173 (1991).
159
Fed. Open Mkt. Comm. v. Merrill, 443 U.S. 340, 354 (1979).
160
U.S. Dep’t of Justice v. Reporters Comm. for Freedom of Press, 489 U.S. 749, 779 (1989).
161
Abramson, 456 U.S. at 631.
157

30

is discretionary, not mandatory, and "Congress did not design the FOIA exemptions to be
mandatory bars to disclosure.”162 However, agencies may only make a discretionary disclosure
“where they are not otherwise prohibited by law from doing so.”163 As explored above, for
Exemption 4, such a legal prohibition would be the Trade Secrets Act; for Exemption 6, the
Privacy Act. An agency’s ability to use its discretion to disclose information under Exemptions 4
and 6 is disclosed below.
a.

Exemption 4

Although the definition of trade secrets is relatively clear, until recently what constitutes
“commercial or financial information obtained from a person and privileged or confidential”
within the meaning of Exemption 4 was less clear.164 The Supreme Court’s 2019 decision in
Food Marketing Institute v. Argus Leader Media identified two conditions for determining when
information is confidential: (1) whether the information is “closely held” in that it is not shared
freely and (2) whether it is disclosed “only if the party receiving it provides some assurance that
it will remain secret.”165 In so holding, the Court declined to resolve whether both were
necessary and rejected a line of authority initiated by the D.C. Circuit’s decision in National
Parks & Conservation Ass’n v. Morton that added the further requirement that the disclosure of
the information would cause substantial competitive harm.166

162

Chrysler Corp. v. Brown, 441 U.S. 281, 293 (1979).
U.S. Dep’t of Justice, Waiver and Discretionary Disclosure, DEPARTMENT OF JUSTICE GUIDE TO THE FREEDOM
OF INFORMATION ACT 16 (Aug. 28, 2019), available at https://www.justice.gov/oip/page/file/1198006/download.
164
5 U.S.C. § 552(b)(4).
165
139 S. Ct. 2356, 2363 (2019). The Supreme Court cited with approval a Ninth Circuit decision concluding that
Exemption 4 “would protect information that a private individual wishes to keep confidential for his own purposes,
but reveals to the government under the express or implied promise of confidentiality. Id. (quoting Gen. Servs.
Admin. v. Benson, 415 F.2d 878, 881 (9th Cir. 1969) (internal quotation marks omitted)).
166
Id. at 2363–65 (overturning Nat’l Parks & Conservation Ass’n v. Morton, 498 F.2d 765, 767 (D.C. Cir. 1974)).
163

31

Sufficient assurances of confidentiality can be implied or express.167 However, such
assurance can be implied only if expectations of privacy are reasonable.168
District Courts have further clarified this ruling, establishing that only information
“originating from the companies themselves” can be information that is customarily and actually
keep private.169 Courts also consider the steps that business owners took to keep information
private.170 With respect to the government, Exemption 4 is intended to allow the government to
honor any good faith promises it has made not to disclose certain documents.171 The failure to
invoke available mechanisms for protecting CBI constitutes a waiver of rights to confidential
treatment under Exemption 4.172
Because the Food Marketing Institute decision is new, the doctrine will likely develop as
courts begin to interpret it. In any event, even if certain information in a document is exempt,
non-exempt portions of a document “must be disclosed unless they are inextricably intertwined
with exempt portions.”173
Most information falling under Exemption 4 is not appropriate for discretionary
disclosure by an agency. If an agency chose to disclose information falling under Exemption 4,
businesses could bring a reverse FOIA174 suit under the APA alleging that the agency’s actions

167

Id. at 2363.
U.S. Dep’t of Justice v. Londano, 508 U.S. 165, 179 (1993) (holding that “an implied assurance of
confidentiality” may be reasonably inferred under FOIA Exemption 7(D) based on certain “generic circumstances”),
cited with approval by Food Mktg. Inst., 139 S. Ct. at 2363–64
169
Am. Small Bus. League v. U.S. Dep’t of Def., 411 F. Supp. 3d 824, 830 (N.D. Cal. 2019).
170
See Animal Legal Def. Fund v. U.S. Food & Drug Admin., 790 Fed. Appx. 134, 136 (9th Cir. 2020) (remanding
due to a lack of evidence regarding “what specific steps each producer took to keep its information confidential”).
171
See supra note 99 and accompanying text.
172
Gulf & W. Indus., Inc. v. United States, 615 F.2d 527, 533 n.11 (D.C. Cir. 1979).
173
Mead Data Cent., Inc. v. U.S. Dep’t of Air Force, 566 F.2d 242, 260 (D.C. Cir. 1977).
174
A reverse FOIA suit is one where “submitter of information–usually a corporation or other business entity
required to report various and sundry data on its policies, operations, or products–seeks to prevent the agency that
collected the information from revealing it to a third party in response to the latter's FOIA request.” CNA Fin. Corp.
v. Donovan, 830 F.2d 1132, 1133 n.1 (D.C. Cir. 1987).
168

32

were “arbitrary and capricious” or “not in accordance with law” under the Trade Secrets Act.
Thus, “in the absence of a statute or properly promulgated regulation giving an agency authority
to release the information -- which would remove the Trade Secrets Act's disclosure
prohibition—a determination that requested material falls within Exemption 4 is tantamount to a
determination that the material cannot be released, because the Trade Secrets Act ‘prohibits’
disclosure.”175 In other words, if a company properly submits something confidentially and
retains its privilege, agencies cannot then decide in their discretion to disclose it unless there was
an approving statute.
b.

Exemption 6

As noted above, Exemption 6 allows agencies to withhold “personnel and medical files
and similar files the disclosure of which would constitute a clearly unwarranted invasion of
personal privacy.”176 The Supreme Court has held that the catchall reference to “similar files”
includes “[g]overnment records on an individual which can be identified as applying to that
individual,” including email addresses.177 The Court has also made clear that the term should be
read expansively rather than narrowly.178
If the information is contained within a “similar file,” the statute requires courts to
determine “whether the disclosure of [that information]” would amount to “a clearly unwarranted
invasion of personal privacy.”179 Courts making this determination must balance the public
interest in disclosure against the privacy interest of the individual,180 bearing in mind that “under

175

Id. at 1151-52.
5 U.S.C. § 552(b)(6).
177
U.S. Dep’t of State v. Wash. Post Co., 456 U.S. 595, 602 (1982).
178
Id. at 600.
179
5 U.S.C. § 552(b)(6).
180
Lepelletier v. FDIC, 164 F.3d 37, 46 (D.C. Cir. 1999).
176

33

Exemption 6, the presumption in favor of disclosure is as strong as can be found anywhere in the
Act.”181
The public’s interest in disclosure turns on whether disclosure would “‘contribute
significantly to public understanding of the operations or activities of the government.’”182
Courts applying this standard have ruled that the interest in disclosure is particularly strong in the
context of rulemaking. For example, in ordering the disclosure of email addresses from which
bulk comments were submitted in a rulemaking hearing, one court held that “disclosing the
identities of those seeking to influence an agency’s actions can shed light on those actions.”183
Another court mandating the disclosure of commenters’ names and addresses similarly held that
“the public has much to learn about [the agency’s] rulemaking process from the disclosure of
commenters’ names and addresses,” including whether “multiple comments [have been]
submitted by a single contributor” and whether the agency gave greater weight to residents living
near the affected region.184 Thus, “[a]n agency decision formulating a final rule, which relies in
part on written comments submitted by members of the public, clearly warrants full disclosure of
those comments.”185 Courts have been less willing to disclose names and addresses when there is
no indication of “‘any apparent significance attached to individual commenters’ geographical
locations.’”186
Conversely, commenters’ privacy interest in their names and addresses are particularly
weak for voluntarily submissions when the portal for submission gave commenters notice that

181

Wash. Post Co. v. U.S. Dep’t of Health & Human Servs., 690 F.2d 252, 261 (D.C. Cir. 1982).
U.S. Dep’t of Justice v. Reporters Comm. for Freedom of Press, 489 U.S. 749, 775 (1989) (quoting 5 U.S.C.
§ 552(a)(4)(A)(iii)).
183
Prechtel v. FCC, 330 F. Supp. 3d 320, 330 (D.D.C. 2018).
184
All. for Wild Rockies v. Dep’t of Interior, 53 F. Supp. 2d 32, 37 (D.D.C. 1999).
185
Id.
186
Prechtel, 330 F. Supp. 3d at 331 (quoting People for Am. Way Found. v. Nat’l Park Serv., 503 F. Supp. 2d 284,
307 n.8 (D.D.C. 2007)).
182

34

the submission would be made available to the public187 and the commenter did not avail
themselves of available measures to protect their privacy.188 After all, privacy under FOIA can
undoubtedly be waived.189 Note, however, that commenters (or agents) cannot waive the privacy
on behalf of third parties.190
Courts also consider the consequences and possible injuries for potentially identified
individuals whose information is disclosed. The “scope of the privacy interest” is far greater
when the consequences include, for example, “identity theft and other forms of fraud” as
opposed to mere embarrassment.191 The possibility of mistreatment, harassment, or retaliation
that could occur from disclosure of identities is also considered.192 Even increased exposure to
solicitors trying to sell something has been considered an unwarranted invasion of privacy.193
Identifying information must be weighed “not only from the viewpoint of the public, but
also from the vantage of those who would have been familiar[] with other aspects of” the
individual’s life.194 Even if someone could not identify an individual merely by the documents
being disclosed, courts must also consider whether someone who knew a few more details about

187

Id. at 329 (“The bulk submitters’ privacy interest in their email addresses is minimal in this context. Importantly,
bulk submitters had ample indication that their email addresses could be made public, mitigating any expectation of
privacy.”); id. at 330 (“[W]hen someone submits multiple comments to influence public policy and is told that her
email address will become part of the public record, her privacy interest in that email address is not as strong as the
Commission now suggests.”).
188
All. for Wild Rockies, 53 F. Supp. 2d at 37 (“[The agency] made it abundantly clear in its notice that the
individuals submitting comments to its rulemaking would not have their identities concealed. Had defendants
intended otherwise, they could have taken efforts at the time the notice was published to assure commenters that
their responses would be confidential or to offer them the opportunity to request anonymity.”).
189
Comput. Prof’ls for Soc. Responsibility v. U.S. Secret Serv., 72 F.3d 897, 904 (D.C. Cir. 1996).
190
Sherman v. U.S. Dep’t of Army, 244 F.3d 357, 359 (5th Cir. 2001) (“[W]e . . . reject Sherman’s argument that
the Army has the power to waive the privacy interest of service personnel in limiting the disclosure of their social
security numbers . . . .”).
191
Id. at 365.
192
See U.S. Dep’t of State v. Ray, 502 U.S. 164, 176 (1991) (“[T]he privacy interest in protecting [Haitian nationals
who had been denied asylum and returned to Haiti] from any retaliatory action that might result from a renewed
interest in their aborted attempts to emigrate must be given great weight.”).
193
Nat’l Ass’n of Retired Fed. Emps. v. Horner, 879 F.2d 873, 876 (D.C. Cir. 1989).
194
Dep’t of Air Force v. Rose, 425 U.S. 352, 380 (1976).

35

the individual’s life could put two and two together.195 Thus, the concern over unwarranted
disclosure of private information is not with the identifying information on its face, but rather
with the practical impact of the disclosure, including “the connection between such information
and some other detail—a statement, an event, or otherwise—which the individual would not
wish to be publicly disclosed.”196 After all, no one can guarantee that those “in the know will
hold their tongues.”197 The Court also notes that in an organized society, privacy rights instead
depend on the degree of dissemination and the extent to which time has rendered previously
disclosed information private.198
Applying these criteria, courts have considered records that contain information such as
“place of birth, date of birth, date of marriage, employment history, and comparable data” as
‘similar files’ for the first step of the Exemption 6 analysis.199 Similarly, Social Security numbers
have been held as exempt under FOIA.200
Applying the FOIA Exemption 6 balancing test, personal financial information such as
bank numbers or Social Security numbers are most likely to be exempted from disclosure even
when included in public comments. A Social Security number or account number would not help
inform a citizen of an agency’s actions and would open up the commenter to extreme identity
theft risk. In situations where such information would help citizens understand an agency’s
actions, however, names, addresses, and other important information included in the comment
(like personal medical information) will likely not be exempt. Because these are comments the

195

Id.
Halloran v. Veterans Admin., 874 F.2d 315, 321 (5th Cir. 1989).
197
Id. (internal quotation marks omitted).
198
Reporters Comm., 489 U.S. at 763.
199
U.S. Dep’t of State v. Wash. Post Co., 456 U.S. 595, 599 (1982).
200
Sherman v. U.S. Dep’t of Army, 244 F.3d 357, 359 (5th Cir. 2001).
196

36

agency considered, the contents will certainly contribute to public understanding of an agency’s
through process or activities. Note that since someone cannot waive a third party’s privacy
interests, the privacy interest for information submitted by a third party is likely higher than that
for information someone submitted about themselves.
Typically, “if Privacy-Act information falls within a FOIA exemption, a discretionary
release of such information is not appropriate.”201 As explored above, the information involved is
covered by the Privacy Act, agencies cannot use their discretion to disclose it, as it would be
barred by statute. However, in the instances where the Privacy Act does not apply and there has
been a waiver, discretionary disclosure may be appropriate. Similarly, reverse FOIA suits
regarding Exemption 6 have not always been successful, indicating that discretionary disclosure
of material covered by FOIA Exemption 6 is sometimes appropriate.202
c.

Analysis

These decisions have considerable implications for agencies’ obligations to disclose or
withhold comments submitted in public rulemaking dockets. Regarding CBI, Food Marketing
Institute makes it clear that any information that commenters submit without following the steps
needed for confidential submission will fall outside Exemption 4 and be subject to public
disclosure under FOIA.
Regarding personal information, the inquiry into whether a disclosure would constitute an
unwarranted invasion of privacy requires balancing the public interest in disclosure against the

201

U.S. Dep’t of Justice, supra note 161, at 16.
See Bartholdi Cable Co. v. FCC, 114 F.3d 274, 282 (D.C. Cir. 1997) (denying petitioner’s request to force
agency to withhold information under Exemption 6 because FOIA exemptions are discretionary). But see Campaign
for Family Farms v. Glickman, 200 F.3d 1180, 1182 (8th Cir. 2000) (enjoining an agency to withhold information
under Exemption 6).
202

37

private interest in withholding. In the context of notice-and-comment rulemaking, the public
interest in disclosing is strong, and the fact that commenters received notice that their comments
will be made public unless they exercise the confidential submission process makes the privacy
interest somewhat attenuated. Even in the case of inadvertent submission, the fact that submitters
receive warnings about confidentiality lowers their privacy interests.
Thus, while certain contact information may fall outside of Exemption 6 and be subject to
disclosure as long as proper disclaimers are given, Social Security Numbers and bank account
numbers which provide little benefit to helping the public evaluate government actions should be
withheld.
D.

Synthesizing the Duties and Interpretive Decisions
The body of judicial decisions interpreting the statutes discussed above provides useful

guidance for how agencies should give effect to the policy in favor of open government while
simultaneously fulfilling agencies’ duty to protect certain types of information. Although these
statutes contain frameworks for analyzing the relevant tradeoffs that are theoretically distinct, the
terms of the Privacy Act, the Trade Secrets Act, and the Sunshine Act look to FOIA to provide
the relevant principles.
FOIA thus represents a key lodestar for determining the proper way to balance agencies’
duties to disclose and their duties to withhold. It reflects a strong, default commitment to full
disclosure. Absent specific congressional direction reflected in one of the specified lists of
narrowly construed statutory exemptions, the policies in FOIA counsel strongly in favor of
disclosure.
On the other hand, privacy interests are relatively weak for comments submitted
voluntarily into a portal containing a warning that all comments would be publicly available and
38

when the commenter did not avail themselves of available measures to protect their privacy.
Privacy interests are stronger for information such as Social Security and bank account numbers,
place of birth, date of birth, date of marriage, and employment history, where their disclosure
would provide few public benefits and raise significant risks of identity theft. In instances where
someone’s personal information (for example, location, place of birth, or employment history)
would provide public benefits, the privacy interest is mixed. In such situations, agencies could
redact the information to reduce the risks of identity theft. For example, exact dates of
employment be redacted within the comment, leaving only the years an employee worked there;
birth days, but not months, could be redacted.
Agencies can mitigate these risks by making prominent disclosures that comments are
generally publicly available and providing clear instructions for commenters who wish to make
confidential submissions. Both FOIA and the E-Government Act of 2002 suggest that agencies
should consider reviewing comments and redacting Social Security numbers, bank account
numbers, birth dates, wedding dates, and comparable data. Addresses may be reduced to city and
state in appropriate circumstances where the exact location of the submitter was not relevant to
rulemaking. The APA recognizes the discretion for agencies to withhold confidential business
data. Any redactions must provide meaningful opportunity for the public to engage with the
comments.203

203

See Am. Radio Relay League, Inc. v. F.C.C., 524 F.3d 227, 237 (D.C. Cir. 2008) (explaining that information
“upon which an agency relies in promulgating a rule must be made available during the rulemaking in order to
afford interested persons meaningful notice and an opportunity for comment” and cannot be cherry-picked with
redactions).

39

II.

AGENCY PRACTICES WITH RESPECT TO DISCLOSING AND
WITHHOLDING PROTECTED MATERIALS IN RULEMAKING DOCKETS
The research team supplemented its analysis of the legal materials regarding agency

duties to disclose and withhold protected materials with an assessment of real-world agency
practices. This research focused on two types of sources. First, it reviewed publicly available
materials, including:
•
•
•

Language in NPRMs issued by agencies;
System of Record Notices (SORNs) issued by all agencies examined; and
Agency web portals for accepting comments in rulemaking proceedings.

Second, the research team gathered information directly from agency officials. It did so
in three ways:
•
•
•

A roundtable on January 8, 2020, in which 17 officials from 14 agencies participated;
In-depth interviews with officials from 6 agencies;204 and
A survey of agency practices sent to 43 agencies (see Appendix A for the survey
text).

The survey generated received 27 responses from 23 agencies205, although not all
respondents answered every question. Seventeen of the responses were from people explicitly
identified as attorneys (general counsels, special counsels, and attorneys).

204

We interviewed officials from EPA, DHS, SEC, DOE, FCC, and Treasury.
The 23 agencies that responded to the survey in some capacity are the Board of Governors of the Federal Reserve
System; Centers for Medicare & Medicaid Services, HHS; Federal Trade Commission; Internal Revenue Service;
National Labor Relations Board; Pension Benefit Guaranty Corporation; Postal Regulatory Commission; Social
Security Administration; Surface Transportation Board; U.S. Commodity Futures Trading Commission; U.S.
Consumer Product Safety Commission; U.S. Department of Agriculture; U.S. Department of Defense; U.S.
Department of Education; U.S. Department of Housing and Urban Development; U.S. Department of Homeland
Security; U.S. Department of Labor (OSHA); U.S. Department of State; U.S. Department of Veterans Affairs; U.S.
Department of Transportation; U.S. Equal Employment Opportunity Commission; U.S. Food and Drug
Administration; and the U.S. Nuclear Regulatory Commission.
205

40

A.

Advance Notice of Policies Governing Protected Materials
One set of questions in the survey focused on how agencies provide guidance to

commenters and other individuals submitting information. Eighteen respondents representing 17
agencies explained the types of situations in which they give guidance regarding policies on the
submission of CBI and PII. Their responses are summarized in Table 1.
Table 1: Ways Agencies Surveyed Provide Advance Disclosures of Policies Regarding CBI
and PII
Type
Notices in NPRMs
Notices provided prior to public meetings
Guidance provided on websites
Notices on surveys
Agency regulations
Notices provided during negotiated rulemakings
Notices regarding ex parte communications
Guidance in Systems of Records Notices (SORNs)

Responses
17
6
4
4
2
2
2
1

Seventeen of 27 responses (63%), and all agencies who responded to the question,206
indicated that they rely on language in NPRMs and Advance NPRMs to notify individuals of
their policies regarding withholding and disclosure of CBI and PII. Other mechanisms include
notices provided prior to public meetings (6 responses/22%), guidance on websites (4
responses/14%), notices on surveys (4 responses/14%), agency regulations (2 responses/7%),
notices provided during negotiated rulemakings (2 responses/7%), notices regarding ex parte
communications (2 responses/7%), and guidance in Systems of Records Notices (SORNs) (1
response/4%).

206

Note that one additional agency selected “other,” but did not describe any method aside from saying that it
“provides notice.”

41

1.

Notices of Proposed Rulemaking (NPRMs)
The most common practice for providing advance notice of policies regarding the

disclosure and withholding of CBI and PII is to include language describing those policies in
NPRMs published in the Federal Register. To assess this practice, the research team examined
NPRMs issued by all 43 agencies examined to assess the disclosures they made about the
handling of CBI and PII submitted in comments. The results are summarized in Table 2, and the
results are reported in Appendix B.
Table 2: Terms Agencies Examined Include in NPRMs to Disclose Policies Regarding CBI
and PII
Type
Notice that comments will be disclosed to the public
Guidance not to include PII/CBI in comments
Guidance not to include PII in comments
Guidance not to include CBI in comments
Guidance regarding alternative mechanisms for submitting PII or CBI
Notice of agency discretion to redact information from comments
Guidance on how to challenge decisions regarding disclosure or withholding

Responses
37
10
8
1
9
1
5

One striking aspect about which guidance regarding protected materials tends to reflect
the likelihood that agency will encounter CBI and PII given its particular mission. Three survey
agency responses emphasized that the nature of their work rarely require them to encounter or
deal with PII or CBI. One noted that its rules consist of legal interpretations that do not require
access to protected materials. Another indicated that its authority is limited to setting rates and
that that authority does not require access to protected materials. A third looks exclusively at
firm-level data that is generally publicly available.
The same insight is implicit in the practice of disclosing policies with respect to protected
materials in NPRMs. The following 9 agencies include language in their NPRMs directing
42

commenters not to disclose PII without mentioning CBI: Consumer Finance Protection Board
(CFPB), National Labor Relations Board (NLRB), Occupational Safety and Health
Administration (OSHA), U.S. Department of State (DOS), U.S. Equal Employment Opportunity
Commission (EEOC), U.S. Nuclear Regulatory Commission (NRC), U.S. Office of Government
Ethics (OGE), and U.S. Securities and Exchange Commission (SEC). Although there are some
conspicuous absences,207 many of these appear to be agencies whose work is more likely to
encounter personal information. Conversely, the only agency to include language in its NPRM
directing commenters not to disclose CBI without mentioning PII is the U.S. Environmental
Protection Agency (EPA), which is likely to receive significant amounts of commercially
sensitive information, but is unlikely to encounter PII.
The implication is that policies regarding the disclosure and withholding of protected
materials should give agencies flexibility to modify them to reflect each agency’s particular area
of responsibility. For example, while a blanket notice for all commenters on commenting
websites would be sufficient for every agency no matter what they encounter, policies regarding
the challenging of disclosure and withholding or the submission of confidential material may
change depending on the volume of information an agency receives.
a.

Notices of public disclosure of any protected materials contained in comments

The survey of NPRMs reveal that the most common practice among agencies is to notify
commenters that all submissions will be made available to the public. As indicated in Table 2, 37
of the 43 agencies examined (86%) include such disclosures in their NPRMs.

207

One might have expected to find the Centers for Medicare and Medicaid Services (CMS), DVA, and OPM on
this list. These three agencies do not provide any guidance about nondisclosure regardless of whether it is PII.

43

Many agencies disclose that all comments will be made public without making specific
reference to PII or CBI. For example, an NPRM issued by the Internal Revenue Service (IRS)
simply states, “All comments will be available at http://www.regulations.gov or upon
request.”208 The U.S. Department of Veterans Affairs (DVA) adopts a similar practice, including
language in a recent NPRM stating, “Copies of comments received will be available for public
inspection in the Office of Regulation Policy and Management, Room 1063B, between the hours
of 8:00 a.m. and 4:30 p.m. Monday through Friday (except holidays).”209 An NPRM adopted by
the Federal Energy Regulatory Commission (FERC) also provides, “All comments will be
placed in the Commission’s public files and maybe viewed, printed, or downloaded remotely as
described in the Document Availability section below.”210
Some agencies caution commenters to exercise caution in determining what to submit
without mentioning any particular type of information. For example, a recent NPRM issued by
the Commodities Futures Trading Commission (CFTC) states, “Comments will be posted as
received to http://www.cftc.gov. You should submit only information that you wish to make
available publicly.”211 The U.S. Department of Education’s (ED’s) NPRMs provide a slightly
longer disclosure along the same lines:
Privacy Note: The Department’s policy is to make all comments received from
members of the public available for public viewing in their entirety on the Federal
eRulemaking Portal at www.regulations.gov. Therefore, commenters should be

208

Revised Applicability Dates for Regulations Under Section 382(h) Related to Built-in Gain and Loss, 85 Fed.
Reg. 2,061, 2,063 (Jan. 14, 2020).
209
Veterans Community Care Program-Organ and Bone Marrow Transplant Care, 84 Fed. Reg. 13,576, 13,577
(Apr. 5, 2019).
210
Electric Reliability Organization Proposal to Retire Requirements in Reliability Standards Under the NERC
Standards Efficiency Review, 85 Fed. Reg. 6,831, 6,838 ¶ 55 (Feb. 6, 2020).
211
Certain Swap Data Repository and Data Reporting Requirements, 84 Fed. Reg. 21,044, 21,044 (May 13, 2019)
(emphasis added).

44

careful to include in their comments only information that they wish to make
publicly available.212
Some notices specify that certain types of information contained in comments will be
made available to the public. NPRMs issued by the U.S. Department of Defense (DOD) and the
U.S. Office of Personnel Management (OPM) warn that public disclosure of comments will
include any “personal identifiers or contact information” contained therein.213 An NPRM issued
by the U.S. International Trade Commission (USITC) broadens this notice to caution
commenters that “any personal information provided will be viewable by the public.”214 A recent
NPRM issued by the U.S. Department of Transportation’s (DOT) Federal Aviation
Administration similarly stated: “We will post all comments we receive, without change, to
http://www.regulations.gov, including any personal information you provide.”215
The Center for Medicare & Medicaid Services (CMS) is the only agency to refer to both
CBI and PII in its guidance regarding the public disclosure of comments submitted: “Inspection
of Public Comments: All comments received before the close of the comment period are
available for viewing by the public, including any personally identifiable or confidential
business information that is included in a comment.”216

212

Federal Perkins Loan Program, Federal Work-Study Programs, Federal Supplemental Educational Opportunity
Grant Program, Federal Family Education Loan Program, William D. Ford Federal Direct Loan Program, Teacher
Education Assistance for College and Higher Education Grant Program, Federal Pell Grant Program, Leveraging
Educational Assistance Partnership Program, and Gaining Early Awareness and Readiness for Undergraduate
Programs, 84 Fed. Reg. 67,778, 67,778 (Dec. 11, 2019).
213
Department of Defense Privacy Program, 83 Fed. Reg. 46,542, 46,542 (Sept. 13, 2018); Prevailing Rate Systems;
Definition of Pitt County, North Carolina, to a Nonappropriated Fund Federal Wage System Wage Area, 84 Fed.
Reg. 72,250, 72,250 (Dec. 31, 2019).
214
Rules of General Application, 82 Fed. Reg. 44,982, 44,983 (Sept. 27, 2017).
215
Airworthiness Directives; Airbus SAS Airplanes, 84 Fed. Reg. 30,637, 30,637 (June 27, 2019) (emphasis added).
216
Basic Health Program; Federal Funding Methodology for Program Year 2021, 85 Fed. Reg. 27, 7501 (Feb. 10,
2020) (emphasis added).

45

b.

Guidance not to submit protected materials in comments

Some agencies went beyond a warning about the potential public disclosure of protected
materials contained in comments by providing guidance not to include such protected materials
in rulemaking submissions. As indicated in Table 2, 10 of the 43 agencies examined (23%)
included language in their NPRMs cautioning submitters against including PII or CBI in their
comments. An additional 8 agencies (19%) made a similar warning limited to PII, with 1 other
agency (2%) offering a similar warning limited to CBI.
Some agencies refer to protected materials generally without referring specifically to PII
or CBI. For example, an NPRM issued by the Office of the Comptroller of the Currency (OCC)
made a general warning “not to include any information in your comment or supporting
materials that you consider confidential or inappropriate for public disclosure.”217
Other agencies referred directly to CBI. A recent NPRM issued by the EPA contained the
following language: “Do not submit electronically any information you consider to be
Confidential Business Information (CBI) or other information whose disclosure is restricted by
statute.”218 Other agencies’ NPRMs gave specific examples of CBI:
•
•
•

DOC: “business information, or otherwise proprietary, sensitive or protected
information.”219
U.S. Department of Energy (DOE): “trade secrets and commercial or financial
information.”220
OMB: “confidential business information, trade secret information, or other sensitive
or protected information.”221

217

Employment Contracts, Mutual to Stock Conversions, 85 Fed. Reg. 1,052, 1,052 (Jan. 8, 2020).
Air Plan Approval; FL; 2010 1-Hour SO2 NAAQS Transport Infrastructure, 85 Fed. Reg. 7,480, 7,480 (Feb 10,
2020).
219
Guidance on Federal Conformity Assessment Activities, 85 Fed. Reg. 7,258, 7,258 (Feb. 7, 2020).
220
Energy Conservation Program: Energy Conservation Standards for Consumer Refrigerators, RefrigeratorFreezers, and Freezers, 84 Fed. Reg. 62,470, 62,481 (Nov. 15, 2019).
221
OMB Freedom of Information Act Regulation, 83 Fed. Reg. 42,610, 42,610 (Aug. 23, 2018).
218

46

•

Federal Election Commission (FEC): “trade secrets or commercial or financial
information.”222

The language in a recent Federal Trade Commission (FTC) NPRM was even more
specific:
In addition, your comment should not include any “trade secret or any
commercial or financial information which . . . is privileged or confidential”—as
provided by section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule
4.10(a)(2), 16 CFR 4.10(a)(2)— including in particular, competitively sensitive
information such as costs, sales statistics, inventories, formulas, patterns, devices,
manufacturing processes, or customer names.223
DOE disclosure explicitly provided that “[c]omments submitted through
http://www.regulations.gov cannot be claimed as CBI” and that “[c]omments received through
the website will waive any CBI claims for the information submitted.”224 One interview
participant concurred that commenters that post PII despite these warnings have essentially
waived any claims to confidentiality or protection.
Regarding PII, many agencies’ NPRMs advise commenters not to include any PII in their
comments. For example, the DOS, NRC, and SEC limit this warning to “identifying or contact
information” or “personal identifying information.”225 Other agencies augment this warning with
lists of particular types of PII:
•
•

CFPB: “account numbers or Social Security numbers, or names of other
individuals.”226
DOC: “account numbers or Social Security numbers, or names of other
individuals.”227

222

Internet Communication Disclaimers and Definition of “Public Communication,” 83 Fed. Reg. 12,684, 12,684
(Mar. 26, 2018).
223
Military Credit Monitoring, 83 Fed. Reg. at 57,699.
224
Energy Conservation Program, 84 Fed. Reg. at 62,482.
225
List of Approved Spent Fuel Storage Casks, 85 Fed. Reg. 1,129, 1,129 (Jan. 9, 2020); Modernization of
Regulations S-K Items 101, 103, and 105, 84 Fed. Reg. 44,358, 44,358 (Aug. 23, 2019); International Traffic in
Arms Regulations: U.S. Munitions List Categories I, II, and III, 83 Fed. Reg. 24,198, 24,198 (May 24, 2018).
226
Remittance Transfers Under the Electronic Fund Transfer Act, 84 Fed. Reg. 67,132, 67,132 (Dec. 6, 2019).
227
Guidance on Federal Conformity Assessment Activities, 85 Fed. Reg. at 7,258.

47

•
•
•
•
•

FEC: “home street address, personal email address, date of birth, phone number,
social security number, or driver’s license number.”228
NLRB: “Social Security numbers, personal addresses, telephone numbers, and email
addresses.”229
OSHA: “Social Security Numbers, birthdates, and medical data.”230
OGE: “account numbers or Social Security numbers.”231
U.S. Social Security Administration (SSA): “Social Security numbers or medical
information.”232

Again, the NPRMs issued by the FTC provide the most complete guidance in this regard:
Because your comment will be placed on the publicly accessible FTC website at
https://www.ftc.gov, you are solely responsible for making sure that your
comment does not include any sensitive or confidential information. In particular,
your comment should not include any sensitive personal information, such as your
or anyone else’s Social Security number; date of birth; driver’s license number or
other state identification number, or foreign country equivalent; passport number;
financial account number; or credit or debit card number. You are also solely
responsible for making sure that your comment does not include any sensitive
health information, such as medical records or other individually identifiable
health information.233
c.

Guidance regarding alternative mechanisms for submitting comments containing
protected materials

Agency practice regarding notice of alternative methods for submitting protected
materials varies. As indicated in Table 2, only 9 of 43 agencies examined (21%) provide such
guidance in their NPRMs.

228

Internet Communication Disclaimers and Definition of “Public Communication,” 83 Fed. Reg. 12,684, 12,684
(March 26, 2018).
229
Jurisdiction—Nonemployee Status of University and College Students Working in Connection with Their
Studies, 84 Fed. Reg. 49,691, 49,691 (Sept. 23, 2019).
230
Occupational Exposure to Beryllium and Beryllium Compounds in Construction and Shipyard Sectors, 84 Fed.
Reg. 53,902, 53,902 (Oct. 8, 2019).
231
Post-Employment Conflict of Interest Restrictions; Departmental Component Designations, 85 Fed. Reg. 7,252,
7,252 (Feb. 7, 2020).
232
Advance Designation of Representative Payees for Social Security Beneficiaries, 84 Fed. Reg. 65,040, 65,040
(Nov. 26, 2019).
233
Premerger Notification; Reporting and Waiting Period Requirements, 84 Fed. Reg. 58,348, 58,349 (Oct. 31,
2019).

48

Some agencies provide quite general guidance. NPRMs released by the DOS and the U.S.
Merit Systems Protection Board (MSPB) notify prospective commenters that they may submit
their comments anonymously.234 For example, a recent NPRM issued by the U.S. Small Business
Administration (SBA) requests submitters to highlight any CBI and explain why they believe the
agency should withhold that information as confidential, subject to agency review.235 The FTC’s
NPRMs follow a similar approach:
Comments containing material for which confidential treatment is requested must
be filed in paper form, must be clearly labeled “Confidential,” and must comply
with FTC Rule 4.9(c). In particular, the written request for confidential treatment
that accompanies the comment must include the factual and legal basis for the
request, and must identify the specific portions of the comment to be withheld
from the public record. See FTC Rule 4.9(c). Your comment will be kept
confidential only if the General Counsel grants your request in accordance with
the law and the public interest. Once your comment has been posted on the public
FTC website—as legally required by FTC Rule 4.9(b)—we cannot redact or
remove your comment from the FTC website, unless you submit a confidentiality
request that meets the requirements for such treatment under FTC Rule 4.9(c), and
the General Counsel grants that request.236
NPRMs issued by the U.S. Department of Agriculture (USDA) and the U.S. Department
of Justice (DOJ) provide somewhat more specific guidance that requires the inclusion of the
phrase “PERSONAL IDENTIFYING INFORMATION” or “CONFIDENTIAL BUSINESS
INFORMATION” in the first paragraph of the comment and prominently identify the
information to be redacted from the comment.237 These NPRMs indicate that information
properly marked as PII or CBI will not be posted online without mentioning any discretionary

234

International Traffic in Arms Regulations, 79 Fed. Reg. at 24,198; Practices and Procedures, 79 Fed. Reg.
18,658, 18,658 (Apr. 3, 2014).
235
Small Business Size Standards: Calculation of Annual Average Receipts, 84 Fed. Reg. 29,399 (June 24, 2019).
236
Premerger Notification; Reporting and Waiting Period Requirements, 84 Fed. Reg. at 58,349.
237
Equal Opportunity for Religious Organizations in U.S. Department of Agriculture Programs: Implementation of
Executive Order 13831, 85 Fed. Reg. 2,897, 2,898 (Jan. 17, 2020); Schedules of Controlled Substances: Placement
of Cyclopentyl Fentanyl, Isobutyryl Fentanyl, Para-Chloroisobutyryl Fentanyl, Para-Methoxybutyryl Fentanyl, and
Valerylfentanyl Into Schedule I, 85 Fed. Reg. 5,356, 5,356 (Jan. 30, 2020).

49

authority to review whether the redacted material actually constitutes protected information.238
Both agencies note that comments containing so much protected material that they cannot be
effectively redacted may be partially or completely withheld from the public.239
DOE and the Food Drug Administration require commenters seeking confidential
treatment to submit both redacted and unredacted versions of comments.240 Like the FTC, both
of these agencies require that requests for confidential treatment be submitted in written form.241
DOE makes clear that it “will make its own determination about the confidential status of the
information and treat it according to its determination.”242
Other agencies include language in the NPRM directing commenters to other resources
where information is available. For example, a recent EPA NPRM directs commenters towards
its own website,243 which contains guidance requiring the submission of redacted and unredacted
versions of comments containing CBI, including instructions not to submit CBI electronically.244
d.

Notices of agency discretion to redact information from comments

As indicated in Table 2, only one agency (2%) provides explicit advance notice of its
discretionary authority to redact comments. Specifically, a recent NPRM issued by the
Commodity Futures Trading Commission (CFTC) states:

238

Equal Opportunity for Religious Organizations in U.S. Department of Agriculture Programs, 85 Fed. Reg. at
2,898; Schedules of Controlled Substances, 85 Fed. Reg. at 5,356.
239
Equal Opportunity for Religious Organizations in U.S. Department of Agriculture Programs, 85 Fed. Reg. at
2,898; Schedules of Controlled Substances, 85 Fed. Reg. at 5,356.
240
Energy Conservation Program, 84 Fed. Reg. at 62,482; Content and Format of Substantial Equivalence Reports;
Food and Drug Administration Actions on Substantial Equivalence Reports, 84 Fed. Reg. 12,740 (Apr. 2, 2019).
241
Energy Conservation Program, 84 Fed. Reg. at 62,482; Content and Format of Substantial Equivalence Reports,
84 Fed. Reg. at 12,740.
242
Energy Conservation Program, 84 Fed. Reg. at 62,482.
243
Air Plan Approval; FL; 2010 1-Hour SO2 NAAQS Transport Infrastructure, 85 Fed. Reg. at 7,491.
244
Commenting on EPA Dockets, U.S. ENVTL. PROT. AGENCY, https://www.epa.gov/dockets/commenting-epadockets (last visited Feb. 13, 2020).

50

The Commission reserves the right, but shall have no obligation, to review, prescreen, filter, redact, refuse or remove any or all of your submission from
http://www.cftc.gov that it may deem to be inappropriate for publication, such as
obscene language. All submissions that have been redacted or removed that
contain comments on the merits of the rulemaking will be retained in the public
comment file and will be considered as required under the Administrative
Procedure Act and other applicable laws, and may be accessible under the
Freedom of Information Act.245
Note that this right of redaction emphasizes the problem of obscene language instead of
protected information.
e.

Notices of opportunities to challenge decisions regarding disclosure or
withholding

As indicated in Table 2, 5 of the 43 agencies examined (12%) include language in their
NPRMs providing guidance to commenters of how to challenge agency decisions regarding
disclosure or withholding of protected material. The best developed example is the CFTC
NPRM, which included language in a recent NPRM directing those wishing to submit protected
information to do so in accordance with 17 C.F.R. § 145.9.246 Along with instructions about how
make such a submission, the cited regulation also lays out how such requests will be processed
by the agency, beginning with an initial determination and the opportunity to appeal that initial
determination to the General Counsel.247
2.

Public Meetings
Many agencies also encounter protected materials in public meetings. As noted above, 6

of the 27 responses to the survey (22%) reported that they provide notice regarding the

245

Certain Swap Data Repository and Data Reporting Requirements, 84 Fed. Reg. at 21,044.
Id.
247
17 C.F.R. § 145.9(d)–(g).
246

51

submission of PII or CBI in public meetings, although only 4 described how that guidance is
provided. The SEC has also published a SORN regarding comments submitted during
Commission hearings.248
One agency states that it “sometimes” provides notice by making a statement at the
meeting. Another agency provides notice within the meeting materials. A third agency gives
notice that the meeting is going to be broadcasted or recorded. Finally, two of the agencies stated
that they rely statements in the Federal Register notices that announce upcoming meetings to
provide guidance on how information submitted at the meetings will be used. As one agency
pointed out in an interview, most people at the meetings are aware the meetings are public and
know not to share personal or sensitive information they want to keep private.
3.

Websites
Notices and disclaimers provided in websites through which interested parties submit

comments represent another important source of advance notice of policies governing the
disclosure and withholding of CBI and PII in comments submitted in the public rulemaking
dockets. Regulations.gov lists 29 of the 43 agencies examined (67%) as participating agencies.249
Of these 43 agencies, 14 do not participate in Regulations.gov.250 Of these 14, 4 agencies require

248

Securities and Exchange Commission; Privacy Act of 1974, 41 Fed. Reg. 41,550, 41,562–63 (Sept. 22, 1976)
(SEC-15).
249
The 29 agencies examined who participate in Regulations.gov are the CMS, CFPB, FTC, IRS, National Archives
and Records Administration, NLRB, OSHA, OMB, OCC, SSA, USDA, DOC, DOD, ED, DOE, DHS, DOJ, DOL,
DOS, Treasury, DOT, DVA, EPA, EEOC, FDA, GSA, NRC, OPM, and SBA. Participating Agencies,
REGULATIONS.GOV (Nov. 2019), https://www.regulations.gov/docs/Participating_Agencies.pdf.
250
Non-Participating Agencies, REGULATIONS.GOV (Nov. 2019),
https://www.regulations.gov/docs/Non_Participating_Agencies.pdf.

52

paper submissions,251 and the other 10 agencies solicit and accept comments through their own
websites, which are analyzed below.
a.

Regulations.gov

As noted above, two thirds of agencies examined accept comments in rulemaking
proceedings through the Regulations.gov website.252 The USITC accepts submissions both
through Regulations.gov and its own website.253 A screenshot of the comment submission page
for Regulations.gov appears in Figure 1. The process for submitting comments necessarily
exposes prospective submitters to a number of notices and disclaimers.

251

Simplified Proceedings, 75 Fed. Reg. 28,223, 28,223 (June 21, 2010) (Federal Mine Safety and Health Review
Commission); Practices and Procedures, 80 Fed. Reg. 66,787, 66,787 (Oct. 30, 2015) (MSPB); Revisions to
Procedural Rules Governing Practice Before the Occupational Safety and Health Review Commission, 83 Fed. Reg.
48, 578, 48,578 (Sept. 26, 2018) (Occupational Safety and Health Review Commission); Post-Employment Conflict
of Interest Restrictions; Departmental Component Designations, 85 Fed. Reg. 7,252, 7,252 (Feb. 7, 2020) (OGE).
252
See supra note 249 and accompanying text.
253
Submission and Consideration of Petitions for Duty Suspensions and Reductions, 84 Fed. Reg. 9,273, 9,273
(Mar. 14, 2019).

53

Figure 1: Comment Submission Page for Regulations.gov

Notice at the Bottom on the “Comment Now!” Webpage
Members of the public may submit comments by using the available finding tools to
identify the relevant matter. Next to the entry of the relevant rule will appear either a button
stating, “Comment Now!,” or a notice stating, “Comment instructions in document.” Those

54

accessing the “Comment Now!” function will be taken to a comment page with the following
disclaimer at the bottom:
Any information (e.g., personal or contact) you provide on this comment form or
in an attachment may be publicly disclosed and searchable on the Internet and in a
paper docket and will be provided to the Department or Agency issuing the
notice. To view any additional information for submitting comments, such as
anonymous or sensitive submissions, refer to the Privacy Notice and User Notice,
the Federal Register notice on which you are commenting, and the Web site of the
Department or Agency.254
Link to the “Privacy Notice” at the Bottom of the “Comment Now!” Webpage.
Clicking on the “Privacy Notice” presents prospective commenters with additional notice
on “Sharing and Disclosure,” including the following text:
The material you submit to a federal department or agency through
Regulations.gov may be seen by various people. Any personally identifiable
information (e.g., name, address, phone number) included in the comment form or
in an attachment will be provided to the department or agency to which your
comment is directed and may be publicly disclosed in a docket or on the Internet
(via Regulations.gov, a federal agency website, or a third-party, non-government
website with access to publicly-disclosed data on Regulations.gov).255
Link to the “User Notice” at the Bottom of the “Comment Now!” Webpage
The User Notice contains the following notice on “Comments and Public Submissions”:
. . . You should be aware that requirements for submitting comments may vary by
department or agency. For purposes of submitting comments, some agencies may
require that you include personal information, such as your name and email
address, on the comment form. Each agency manages its own data within the site,
according to agency-specific comment review and posting policy. Comments may
be publicly disclosed in a docket or on the Internet (via Regulations.gov, a federal
agency website, or a third-party, non-government website with access to publiclydisclosed data on Regulations.gov).

254

Comment Now!, REGULATIONS.GOV, https://www.regulations.gov/comment?D=DOS_FRDOC_0001-5130 (last
visited Feb 16, 2020).
255
Privacy Notice, REGULATIONS.GOV, https://www.regulations.gov/privacyNotice (last visited Feb 16, 2020).

55

Do not submit information whose disclosure is restricted by statute, such as trade
secrets and commercial or financial information (hereinafter referred to as
Confidential Business Information “CBI”) to Regulations.gov. Comments
submitted through Regulations.gov cannot be claimed as CBI. Comments
received through the website will waive any CBI claims for the information
submitted. Some agencies may impose special requirements for submitting CBI or
copyrighted works. To view any additional information or instructions for
submissions, refer to the specific Federal Register notice on which you are
commenting and the website of the department or agency.256
Link to “Alternate Ways to Comment” at the Top of the “Comment Now!” Webpage
Regulations.gov itself does not provide uniform instructions regarding opportunities for
confidential submission. However, a button for “Alternate Ways to Comment” sometimes
appears in the upper right region of each comment submission page that agencies are able use to
provide additional instructions regarding how to submit protected information. Examples of
some of the more complete disclosures appear below.
Some agencies use this function to provide guidance regarding alternative methods for
submitting comments containing CBI. For example, the EPA uses a variety of language in its
postings, but its most complete one instructs commenters not to submit CBI or other information
whose disclosure is restricted by statute; informs them that EPA’s policy is to include all
comments not claimed to be CBI in the public docket without change, including any personal
information provided, and to make them available via Regulations.gov; and directs parties
interested in submitting CBI confidentially to consult with the agency via its website, email, or
mail.257

256

User Notice, REGULATIONS.GOV, https://www.regulations.gov/userNotice (last visited Feb 16, 2020).
You are commenting on: The Environmental Protection Agency (EPA) Proposed Rule: National Oil and
Hazardous Substances Pollution Contingency Plan; National Priorities List: Partial Deletion of Operable Unit 1 of
the Libby Asbestos Superfund Site, REGULATIONS.GOV, https://www.regulations.gov/comment?D=EPA-HQSFUND-2002-0008-0022 (last visited Feb. 14, 2020) (follow “Alternative Ways to Comment” hyperlink).
257

56

The language that the DOT discloses under “Alternative Ways to Comment” reflects a
somewhat different approach that covers both CBI and PII. For example, the Pipeline and
Hazardous Materials Safety Administration (PHMSA), which is a component agency of the
DOT, includes a “Privacy Act Statement” disclosing that “DOT posts [rulemaking] comments,
without edit, including any personal information the commenter provides, to
www.regulations.gov, as described in the system of records notice (DOT/ALL-14 FDAS).”258 It
also provide guidance on “Confidential Business Information” instructing filers to “clearly
designate the submitted comments as CBI” as appropriate and to submit redacted and unredacted
copies along with an explanation why the material is CBI.259 It also informs filers that “[u]nless
you are notified otherwise, PHMSA will treat such marked submissions as confidential under the
FOIA, and they will not be placed in the public docket of this document.”260 It further specifies
that “[a]ny commentary PHMSA receives that is not specifically designated as CBI will be
placed in the public docket for this matter.261
The Food and Drug Administration (FDA) provides the most complete disclosure. The
agency provides a warning regarding both CBI and PII, including specific examples:
Comments submitted electronically, including attachments, to
https://www.regulations.gov will be posted to the docket unchanged. Because
your comment will be made public, you are solely responsible for ensuring that
your comment does not include any confidential information that you or a third
party may not wish to be posted, such as medical information, your or anyone
else’s Social Security number, or confidential business information, such as a
manufacturing process. Please note that if you include your name, contact

258

You are commenting on: The Pipeline and Hazardous Materials Safety Administration (PHMSA) Proposed Rule:
Pipeline Safety: Valve Installation and Minimum Rupture Detection Standards, REGULATIONS.GOV,
https://www.regulations.gov/comment?D=PHMSA-2013-0255-0005 (last visited Feb. 14, 2020) (follow
“Alternative Ways to Comment” hyperlink).
259
Id.
260
Id.
261
Id.

57

information, or other information that identifies you in the body of your
comments, that information will be posted on https://www.regulations.gov.262
The agency also provides guidance on how to submit a comment containing protected
materials that calls for a written/paper submission of redacted and unredacted copies, with the
former containing a heading or cover note stating, “THIS DOCUMENT CONTAINS
CONFIDENTIAL INFORMATION.”263
The FDA’s notice further directs filers to other relevant guidance: “Any information
marked as ‘confidential’ will not be disclosed except in accordance with 21 CFR 10.20 and other
applicable disclosure law. For more information about FDA’s posting of comments to public
dockets, see 80 FR 56469, September 18, 2015, or access the information at:
https://www.govinfo.gov/content/pkg/FR-2015-09-18/pdf/2015-23389.pdf.”264
The additional guidance is instructive. The regulation requires the deletion of “the names
and other information that would identify patients or research subjects” before submission to the
FDA “in order to preclude a clearly unwarranted invasion of personal privacy.”265 In addition,
the regulations provide that “[m]aterial prohibited from public disclosure under 20.63 (clearly
unwarranted invasion of personal privacy)” will not be made available to the public.266
Interestingly, the regulations also specify that “[t]he office of the Division of Dockets
Management does not make decisions regarding the confidentiality of submitted documents.”267

262

You are commenting on: The Food and Drug Administration (FDA) Proposed Rule: Importation of Prescription
Drugs, REGULATION.GOV, https://www.regulations.gov/comment?D=FDA-2019-N-5711-0001 (last visited Feb. 14,
2020) (follow “Alternative Ways to Comment” hyperlink).
263
Id.
264
Id.
265
21 C.F.R. § 10.20(c)(4).
266
Id. § 10.20(j)(2)(i).
267
Id. § 10.20(c)(6).

58

The Federal Register reference mentioned in the language revealed by the link to
“Alternative Ways to Comment” explains a change in policy by the FDA permitting the public
release of consumer comments.268 The “Background” section explained that the volume of
comments submitted since the 2007 merger of its docket system with Regulations.gov had
undermined the feasibility of its previous policy, announced in 1995, of routinely reviewed all
comments for obvious confidential information in order to prevent the disclosure of personal
information.269 The shift away from the previous “precautionary” practice of nondisclosure
presented no legal problems, “because, as FDA has stated previously, ‘there can be no
reasonable expectation of confidentiality for information submitted to a public docket in a
rulemaking proceeding.’”270 Such a change was also an improvement over policy of selective
disclosure of individual consumer comments.271 The change also complies with the 2010 FDA
Transparency Initiative,272 aligns with Administrative Conference Recommendation 2013-4’s
call for ‘‘[a]gencies [to] manage their public rulemaking dockets to achieve maximum public
disclosure’’ consistent with legal limitations and other claims of privilege,273 and furthers
Executive Order No. 13,563’s objective of having agencies “base their regulations on ‘public
participation and an open exchange of ideas.’”274

268

Consumer Comments—Public Posting and Availability of Comments Submitted to Food and Drug
Administration Dockets, 80 Fed. Reg. 56,469, 56,469 (Sept. 18, 2015).
269
Id. at 56,469.
270
Id. (quoting Procedures for Handling Confidential Information in Rulemaking, 60 Fed. Reg. 66,981, 66,982 (Dec.
27, 1995)).
271
Id. at 56,470.
272
Id. (citing TRANSPARENCY TASK FORCE, U.S. DEP’T OF HEALTH & HUMAN SERVS., FOOD & DRUG ADMIN., FDA
TRANSPARENCY INITIATIVE: DRAFT PROPOSALS FOR PUBLIC COMMENT REGARDING DISCLOSURE POLICIES OF THE
U.S. FOOD AND DRUG ADMINISTRATION 4 (May 2010), available at
http://www.lb7.uscourts.gov/documents/02c51292.pdf).
273
Id. (quoting Administrative Conference Recommendation 2013-4, supra note 3, at 8 ¶ 2).
274
Id. (quoting Exec. Order No. 13,563, supra note 2, § 1).

59

The following section on “Consumer Comments and Confidential Information” contains
specific language about PII, warning commenters that they are “solely responsible for ensuring
that the submitted comment does not include any confidential information that the commenter or
a third party may not wish to be posted, such as private medical information, the commenter’s or
anyone else’s Social Security number, or confidential business information, such as a
manufacturing process” and that any name, contact information, or other identifying information
included in the body of a submitted comment will be posted on http://www.regulations.gov.275
The agency indicates its expectation that comments would need to include private, personal, or
confidential information “only in exceptional instances” and directed commenters wishing to
submit such information to do so in written/paper form as detailed in the applicable Federal
Register document, understanding that the redacted copy will be posted.276
b.

Commodities Futures Trading Commission

The CFTC accepts public comment through its own website.277 A screenshot of a typical
CFTC’s comment submission page appears in Figure 2.

275

Id.
Id.
277
Public Comments Form, COMMODITIES FUTURES TRADING COMM’N,
https://comments.cftc.gov/PublicComments/CommentForm.aspx?id=3074 (last visited Feb. 14, 2020).
276

60

Figure 2: Comment Submission Page for the Commodities Futures Trading Commission

61

Unlike regulations.gov, the CFTC website requires an email address for submission of
any online comment to avoid spam and Internet “bots.”278 Though an email address is collected,
it is not published on CFTC.gov.279
While the CFTC affirmatively references the possibility of screening, redacting, or even
removing comments from their online website if they are “inappropriate for publication,” the
language in public comment notice references “obscene language” as opposed to the presence of
CBI or PII as possible reasons for take-downs or redactions.280
The CFTC comments webpage includes an “Important Reminder” regarding the public
nature of submitted comments:
All comments entered below will be published on www.cftc.gov without review
and without removal of any personally identifying information or information that
you or your business may wish to be held confidentially. Do not include social
security numbers, your home address, or other personal information in your
comment that you prefer not be made publicly available.281
The website fails to clearly reference any possible method of challenging withholding or
disclosure decisions, or any way to submit a confidential comment.
c.

Federal Communications Commission

The Federal Communications Commission (FCC) maintains its own Electronic Comment
Filing System (ECFS) to receive and maintain all public rulemaking comments and submissions.
A screenshot of its comment submission page appears in Figure 3.

278

Id.
Id.
280
Id.
281
Id.
279

62

Figure 3: Comment Submission Page for the Federal Communications Commission

63

The comment page provides separate tabs for “Standard Filing,” “Express Comment,”
and “Non-Docketed Filing.”282 All three options contain the same disclosure language at the
bottom of the page: “Note: You are filing a document into an official FCC proceeding. All
information submitted, including names and addresses, will be publicly available via the web.”283
The webpage for non-docketed filing supplements the standard disclosure at the bottom of the
page with a much more prominent disclosure at the top of the page, stating:
NOTE: DO NOT SUBMIT CONFIDENTIAL DOCUMENTS USING ECFS.
CONFIDENTIAL DOCUMENTS MUST BE SUBMITTED ON PAPER TO
THE OFFICE OF THE SECRETARY. ALL DOCUMENTS SUBMITTED
THROUGH ECFS ARE MADE AVAILABLE TO THE PUBLIC.284
The FCC’s general guidance on Rulemaking at the FCC similarly explains, “If your
document contains information you wish withheld from public inspection, you must write
‘Confidential, Not for Public Inspection’ on the upper right-hand corner of each page. The
documents should then be placed in an envelope also marked ‘Confidential, Not for Public
Inspection.’”285 Similar language appears on the webpage Formal Comments in Proceedings.286
The FCC’s Guidelines for Filing Paper Documents and How to File Paper Documents with the
FCC contain slightly more extensive guidance.
Documents containing information to be withheld from public inspection should
be clearly and conspicuously labeled “CONFIDENTIAL, NOT FOR PUBLIC
INSPECTION.” This designation should be placed in the upper right-hand

282

Submit a Filing, FED. COMMC’NS COMM’N, https://www.fcc.gov/ecfs/filings (last visited Feb. 14, 2020).
Id.; ECFS Express, FED. COMMC’NS COMM’N, https://www.fcc.gov/ecfs/filings/express (last visited Feb. 14,
2020).
284
Non-Docketed Filing, FED. COMMC’NS COMM’N, https://www.fcc.gov/ecfs/filings/nodocket (last visited Feb. 14,
2020).
285
Rulemaking at the FCC, FED. COMMC’NS COMM’N, https://www.fcc.gov/general/rulemaking-fcc (last visited Feb.
14, 2020).
286
Formal Comments in Proceedings, FED. COMMC’NS COMM’N, https://www.fcc.gov/general/formal-commentsproceedings (last visited Feb. 14, 2020).
283

64

corner of each page. If these instructions are not followed, the filer increases the
risk for inadvertent disclosure of confidential information.287
The FCC does not explicitly provide information on its website regarding contesting
decisions on withholding or disclosure. The bottom of the comment submission page and the
instructs anyone needing to assistance to contact the ECFS help desk,288 as does the guidance on
Formal Comments in Proceedings.289
d.

Federal Election Commission

The FEC does not currently have any pending rules open for comment.290 As a result, the
research team was unable to examine the guidance and disclosures this agency’s portal for
accepting rulemaking comments. When comments are available, FEC maintains its own website
for accepting comments.291
e.

Federal Energy Regulatory Commission

FERC accepts rulemaking comments through its own website, providing two ways to
comment online: eComment292 and eFiling.293 An eComment, any comment that consists of less
than 6,000 words, does not require an eRegistration (which asks for, among other things, name,

287
Guidelines for Filing Paper Documents, FED. COMMC’NS COMM’N, https://www.fcc.gov/secretary/guidelinesfiling-paper-documents (last visited Feb. 14, 2020) (emphasis in original); How to File Paper Documents with the
FCC, FED. COMMC’NS COMM’N, https://www.fcc.gov/reports-research/guides/how-file-paper-documents-fcc (last
visited Feb. 14, 2020) (same).
288
Submit a Filing, supra note 282.
289
Formal Comments in Proceedings, supra note 286.
290
Pending rulemaking matters for comment, FED. ELECTION COMM’N, https://www.fec.gov/legalresources/regulations/pending-rulemaking-matters-comment/ (last visited Feb 15, 2020).
291
Id.
292
Quick Comment, FED. ENERGY REGULATORY COMM’N, https://ferconline.ferc.gov/QuickComment.aspx (last
visited Feb. 15, 2020).
293
eFiling, FED. ENERGY REGULATORY COMM’N, https://ferconline.ferc.gov/eFiling.aspx (last visited Feb. 15,
2020).

65

phone number, email, address, and the name of the commenter’s affiliate organization).294 A
screenshot of its eComment submission page appears in Figure 4.
Figure 4: eComment Submission Page for the Federal Energy Regulatory Commission

294

Id.

66

For comments under 6,000 words, there is no notice regarding the public nature of
submitted comments on the actual comment submission page. However, the comments webpage
contains one warning, regarding what types of information may be removed from public view:
“NOTE: Comments containing profane, inflammatory, scurrilous, or threatening
material will not be placed in public view.”295
Comments under 6,000 words require commenters to enter contact information, however,
and the web page (depicted in Figure 4) that collects comment information includes a warning at
the bottom:
FERC Online does not require the submission of personally identifiable
information (PII) (e.g. social security numbers, birthdates, and phone numbers),
and FERC will not be responsible for any PII submitted to FERC Online,
including any accidental or inadvertent disclosure.296
An eFiling, on the other hand, permits comments over 6,000 words in length, and
requires documentation, including eRegistration.297 A screenshot of FERC’s eFiling submission
page appears in Figure 5.

295

Quick Comment, supra note 292.
Id.
297
Id.
296

67

Figure 5: eFiling Submission Page for the Federal Energy Regulatory Commission

For eFilings, eRegistered users are allowed to designate comments contained in Word
documents or other files as “privileged,” as seen in Figure 5.298 The eRegistration form also
includes a notice regarding the submission of PII or CBI identical to the notice at the bottom of
Figure 4.299
There is no mention on either the eFiling or the eComments webpage regarding
challenges to withholding or disclosure decisions.
f.

Federal Housing Finance Agency

The Federal Housing Finance Agency (FHFA) also maintains its own website regarding
the submission of public comments.300 A screenshot of its comment submission page appears in
Figure 6.

298

eFiling, supra note 293.
Id.
300
60-Day Notice of Submission of "Community Support Requirements" Information Collection for OMB Approval,
FED. HOUSING FIN. AGENCY, https://www.fhfa.gov/SupervisionRegulation/Rules/Pages/60-Day-Notice-ofSubmission-of-Members-of-the-Banks-Information-Collection-for-OMB-Approval.aspx# (last visited Feb 15, 2020.
299

68

Figure 6: Comment Submission Page for the Federal Housing Finance Agency

69

The submission page does not require any information beyond a name and contains no
notice regarding the disclosure of public comments, though it includes links to the FHFA’s
SORNs that cover correspondence, online forms, and other telecommunications systems.301 The
website also contains no mention of any disclosure or withholding challenge procedures.
g.

Board of Governors of the Federal Reserve System

The Board of Governors of the Federal Reserve System (Federal Reserve), which
maintains its own comment submission web page, takes an extra step to ensure that commenters
read a privacy notice: when a user navigates to the page to submit comments, a pop-up appears
and informs the reader that:
[A]ll public comments on proposals, however they are submitted (via this
website, by e-mail, or in paper form) will be made available publicly (on this web
site and elsewhere in paper form). Comments are not edited for public viewing
but are reproduced exactly as submitted, except when alteration is necessary for
technical reasons. The names and addresses of commenters are included with all
comments made available for public viewing.302
A screenshot of this pop-up notice appears in Figure 7.

301

Id.
Popup to Electronic Comment Form, FED. RESERVE,
https://www.federalreserve.gov/secure/forms/ElectronicCommentForm.aspx?doc_id=R%2D1669&doc_ver=1 (last
visited Feb. 15, 2020).
302

70

Figure 7: Pop-Up Notice on Comment Submission Page for the Federal Reserve System

On the actual comment submission webpage, there is no additional privacy warning.303
h.

Postal Regulatory Commission

Like other agencies with comment websites, the Postal Regulatory Commission (PRC)
requires users to create an account before leaving comments.304 However, the temporary
accounts expire in nine days, with permanent online accounts requiring a more formal
application.305 The page for online comment submission does not contain a privacy notice
regarding CBI or PII, nor does the page detail a process for confidential submission. However,
the “How to Participate” page of PRC’s website includes this notice:
Those who want to participate should know that Commission proceedings are
judicial in nature. They are typically conducted in accordance with strict rules of
procedure, evidence and due process just as in a court of law. Consequently, the
more involved one becomes in a proceeding, the more responsibility is entailed
for complying with the applicable rules and procedures. In view of this, a
knowledgeable public representative is appointed on behalf of the general public
to participate in all Commission proceedings and to represent the interests of

303

Id.
Filing Online Login, POSTAL REGULATORY COMM’N, https://www.prc.gov/filingonline/login (last visited Feb. 15,
2020).
305
How to Participate, POSTAL REGULATORY COMM’N, https://www.prc.gov/how-to-participate (last visited Feb.
15, 2020).
304

71

individual consumers. The public representative also may advise first-time
participants on the operation of Commission rules of procedure.306
i.

Surface Transportation Board

The Surface Transportation Board (STB) maintains its own commenting website to
facilitate public commenting.307 This website does not require users to register before leaving
comments.308 Though the individual comment page does not include any notice regarding the
public disclosure of all comments filed, STB does include a notice on its e-Filings webpage that
reads:
NOTE: If the person filing with the Board submits personal information, this
information will be publicly available on the Board’s website. This published
information may include, but is not limited to, the filer’s home address, telephone
number and email address when the contact information serves as the filer’s
business contact information.309
j.

U.S. International Trade Commission

USITC, as indicated by its Federal Register notice, accepts comments on both its website
and on Regulations.gov.310 The Electronic Document Information System (EDIS) that USITC
maintains requires all users to register with EDIS before accessing any submission pages.311
When submitting a comment through the EDIS, the first question asked beyond the
contact information of the submitted is whether the comment “contains CBI or BPI,” as depicted

306

Id.
Other Filings, SURFACE TRANSP. BD., https://prod.stb.gov/proceedings-actions/e-filing/other-filings/ (last visited
Feb. 15, 2020).
308
Id.
309
e-Filings, SURFACE TRANSP. BD., https://prod.stb.gov/proceedings-actions/e-filing/ (last visited Feb. 15, 2020).
310
Submission and Consideration of Petitions for Duty Suspensions and Reductions, 84 Fed. Reg. 9,273, 9,273
(Mar. 14, 2019).
311
Electronic Document Information System (EDIS), INT’L TRADE COMM’N, https://edis.usitc.gov/external/ (last
accessed Feb. 15, 2020).
307

72

in Figure 8.312 Next, it asks if the submitter’s comment is a “public version of a confidential
document filed with the Commission.”313 Only after answering these questions are commenters
able to complete their comments, though there is no other notice of the public nature of
comments.314
Figure 8: Confidential Comment Submission for the U.S. International Trade Commission

k.

U.S. Securities and Exchange Commission

The SEC maintains its own personal commenting website to solicit public
participation.315 A screenshot of its comment submission page appears in Figure 9.

312
Comments Submission, INT’L TRADE COMM’N,
https://edis.usitc.gov/external/submission/submissionContainer.html (last accessed Feb. 15, 2020).
313
Id.
314
Id.
315
SEC Proposed Rules, SECS. & EXCH. COMM’N, https://www.sec.gov/rules/proposed.shtml (last visited Feb. 7,
2020).

73

Figure 9: Comment Submission Page for the U.S. Securities and Exchange Commission

74

The SEC’s public commenting website includes this language to warn about the public
nature of rulemaking comments: “Important: All comments will be made available to the
public. Submit only information that you wish to make available publicly.”316
The SEC website does not publicly detail a method for filing confidential or redacted
comments, nor does the SEC website detail a process for further agency consideration regarding
decisions on withholding or disclosure.
l.

Discussion

Regulations.gov provides useful disclosure of agency policies with respect to disclosure
and withholding of CBI and PII. The ability to customize the language accessed through the link
for “Alternate Ways to Comment” gives agencies the flexibility to adjust these notices to their
different circumstances.
A few notes bear mentioning, however. Much of this information is click through—
unless a submitter is affirmatively seeking an alternative way to comment, for example, they are
unlikely to encounter any privacy notices or information about confidential submission. Further,
because agencies may vary in their additional information, there are inconsistent notices
regarding opportunities to submit protected info. Some of the pop-up notices available on other
agency-maintained commenting websites like the Federal Reserve are more likely to be seen by
commenters, though those notices still fail to contain information about other ways to comment.
Most importantly, however, the inconsistency regarding notice on both the public nature
of submitted comments and availability of confidential submission processes may be confusing

316

How to Submit Comments, SECS. & EXCH. COMM’N (Sept. 10, 2019),
https://www.sec.gov/rules/submitcomments.htm (emphasis in original).

75

to commenters. All agencies are subjected to the same regulations regarding public disclosure, so
the variation in the notice they provide to commenters is striking. In particular, not every agency
provides specific notice that commenters are in fact waiving their privacy interests or their ability
to claim something as CBI when they submit a public comment.
Some agencies also provide confidential submission processes (either via paper or
online). This is likely to confuse some unexperienced, less savvy commenters. The requirement
of paper submission is also inconsistent with the legal mandates to promote online participation
in rulemaking to the greatest degree possible.
4.

System of Records Notices (SORNs)
One interview participant and survey respondent suggested that the Systems of Records

Notice (SORNs) required by the Privacy Act of 1974 provided commenters with sufficient notice
and guidance about the relevant practices and procedures with respect to protected materials. To
assess this possibility, the research team reviewed items published in the Federal Register to
determine how many agencies have issued SORNs governing information submitted in public
rulemaking dockets and examined what disclosures, if any, they contained regarding protected
materials. The results are summarized in Table 3.
Table 3: System of Record Notices (SORNs) Filed by Agencies Examined Applicable to
Comments Submitted During Rulemaking Process
Type
Systems for managing comments in public rulemaking dockets
Correspondence (including comments submitted to the agency)

Agencies
10
1

Ten out of the 43 agencies examined (23%) have published SORNs governing comments
submitted in their public rulemaking dockets, as has the Pension Benefit Guaranty
76

Corporation.317 The U.S. Department of Homeland Security (DHS) has issued a SORN about
correspondence that applies to “[i]ndividuals who submit inquiries, complaints, comments, or
other correspondence to DHS,” which if read broadly could apply to comments submitted during
a rulemaking proceeding.318
Interestingly, 9 agencies who accept rulemaking comments through their own websites
have not issued SORNs to cover those records, including the FEC, FERC, FHFA, Federal
Reserve, USITC, PRC, SEC, and the STB. The SEC’s website does contain a link to a SORN for
comments submitted during Commission hearings.319
a.

Government-Wide SORN for the Federal Docket Management System (FDMS)

The most important SORN is the government-wide SORN filed by the EPA regarding the
Federal Docket Management System (FDMS) designed to manage comments submitted via
Regulations.gov.320 The U.S. General Services Administration (GSA) took over as managing
partner of the FDMS on October 1, 2019.321
The FDMS SORN contains important disclosures regarding PII. It acknowledges that
“[t]here will be instances when a person using FDMS to submit a comment or supporting
materials on a Federal rulemaking must provide name and contact information (e-mail or mailing

317

See infra Part II.A.4.l.
Privacy Act of 1974; System of Records, 83 Fed. Reg. 48,645, 48,645 (Sept. 26, 2018).
319
Securities and Exchange Commission; Privacy Act of 1974, 41 Fed. Reg. 41,550, 41,562–63 (Sept. 22, 1976)
(SEC-15).
320
Establishment of a New System of Records Notice for the Federal Docket Management System, 70 Fed. Reg.
15,086, 15,086 (Mar. 24, 2005), amended by Amendment of the Federal Docket Management System (EPA/GOV2), 78 Fed. Reg. 60,868 (Oct. 2, 2013).
321
Privacy Act of 1974; Systems of Records, 84 Fed. Reg. 53,728, 53,728 (Oct. 8, 2019). As explained above, while
GSA has taken over as managing partner of the e-Rulemaking Program, including the FDMS, the new SORN they
filed fails to cover any records “pertaining to agency rulemakings.” See supra note Error! Bookmark not defined..
Accordingly, this report analyzes the EPA SORN.
318

77

address) as required by an agency, or, a person may have the option to do so.”322 The SORN
further notes that the FDMS necessarily contains information covered by the Privacy Act,
including “personal identifying information (name and contact address/e-mail address).”323 The
SORN explicitly acknowledges agency discretion to withhold or revise comments:
Each agency has the opportunity to review the data it receives as part of its
rulemakings. An agency may choose to keep certain types of information
contained in a comment submission from being posted publicly, while preserving
the entire document to be reviewed and considered as part of the rulemaking
docket. . . . Each agency manages, accesses, and controls the information in the
FDMS that is submitted to that particular agency and also maintains the sole
ability to disclose the data submitted to that particular agency.324
The FDMS SORN contains boilerplate language not specific to the rulemaking context
directing individuals seeking amendment or correction of a record to submit that request to the
agency contact indicated on the initial document for which the related contested record was
submitted.325 In rulemaking contexts, this would general entail the agency contact listed within
the Federal Register NPRM.
b.

Commodities Futures Trading Commission

The Commodities Futures Trading Commission (CFTC) recently modified CFTC-45, its
SORN that covers comments received online.326 Regarding the privacy of information submitted
by commenters, both online and otherwise, CFTC explained:
The commenter’s contact information, or other additional personal information
voluntarily submitted, is not published on the internet, unless the commenter has
incorporated such information into the text of his or her comment. During an
informal rulemaking or other statutory or regulatory notice and comment process,

322
Establishment of a New System of Records Notice for the Federal Docket Management System, 70 Fed. Reg. at
15,086.
323
Id.
324
Id.
325
Id. at 15,088.
326
Privacy Act of 1974; System of Records, 84 Fed. Reg. 17,816 (Apr. 26, 2019).

78

Commission personnel may manually remove a comment from publication if the
commenter withdraws his or her comments before the comment period has closed
or because the comment contains obscenities or other material deemed
inappropriate for publication by the Commission. However, comments that are
removed from publication will be retained by the Commission for consideration
as required by the APA, or as part of the Commission's documentation of a
comment withdrawal in the event that one is requested.327
When detailing the types of information included within the system, CFTC emphasizes
that they sometimes receive personal information:
The comments or input provided may contain other personal information,
although the comment submission instructions advise commenters not to include
additional personal or confidential information.328
The CFTC’s SORN also includes information concerning the protection of records from
unauthorized access, including agency-wide procedures regarding protecting PII and annual
privacy and security trainings.329 However, those procedures are not detailed.
Finally, the CFTC describes a procedure for contesting any possible records, as is
required by the Privacy Act. All those interested in contesting records about themselves within
the comment system of records is directed to write to the Office of General Counsel.330
c.

Federal Communications Commission

The FCC’s SORN covers its own Electronic Comment Filing System.331 The SORN
mentions that, unless confidentiality is requested, all comments are routinely available to the

327

Id. at 17,817.
Id. at 17,817-18.
329
Id. at 17,818.
330
Id.
331
Privacy Act of 1974; Systems of Records, 71 Fed. Reg. 17,234 (April. 5, 2006).
328

79

public “over the Internet 24 hours a day, seven days a week.”332 Users who want to contest their
records are advised to direct those queries to the system manager.333
d.

Federal Trade Commission

The FTC’s FTC-I-6 system covers “participation in Commission . . . rulemaking”
including those who have left “public comments.”334 Public comments received regarding FTC
rulemakings are maintained by the Federal Docket Management System (as explored above).335
FTC-I-6 notes that records within the system, including comments, can be disclosed on the
FTC’s website, in FTC’s public record, and through the FDMS.336
e.

Pension Benefit Guaranty Corporation

When the Pension Benefit Guaranty Corporation (PBGC) began accepting comments on
PBGC.gov, it filed a SORN for PBCG-25.337 The PBGC notes that the information in the record
“may include name, email address, physical address, phone numbers, PBGC customer
identification numbers, Social Security numbers, dates of birth, dates of hire, dates of
termination, marital status, [and] pay status.”338 The SORN also clarifies that “information,
including PII, contained in comments about agency rulemaking, whether submitted through
pbgc.gov or regulations.gov, may be published to the PBGC website.”339

332

Id. at 17,236-37.
Id. at 17,237.
334
Privacy Act of 1974; Systems of Records, 73 Fed. Reg. 33,592, 33,601 (June 12, 2008).
335
Id.
336
Id.
337
Privacy Act of 1974; System of Records, 82 Fed. Reg. 6,247, 6274 (Feb. 13, 2018).
338
Id. at 6,275.
339
Id.
333

80

f.

U.S. Department of Defense

DOD has also published a SORN for its Federal Docket Management System.340 As
DOD’s SORN points out, only individual commenters who voluntarily provide their personal
contact information when commenting are covered by the SORN, because anonymous
commenters cannot be identified.341
DOD notes that their docket management system
permits a member of the public to download any of the public comments received.
If an individual has voluntarily furnished his or her name when submitting the
comment, the individual, as well as the public, can view and download the
comment by searching on the name of the individual. If the comment is submitted
electronically using the FDMS system, the viewed comment will not include the
name of the submitter or any other identifying information about the individual
except that which the submitter has opted to include as part of his or her general
comments.342
However, no other detailed information regarding privacy is included. The SORN also notes that
the procedures for accessing or amending records varies between the various DOD components,
and directs commenters to each component’s regulatory guidance.343
g.

U.S. Department of Justice

DOJ has a published SORN concerning all submissions to the Justice Federal Docket
Management System, which covers “any person—including private individuals, representatives
of Federal, State or local governments, businesses, and industries, that provides personally

340

Privacy Act of 1974; System of Records, 71 Fed. Reg. 586 (Jan. 5, 2006).
Id.
342
Id.
343
Id. at 586.
341

81

identifiable information pertaining to DOJ and persons mentioned or identified in the body of a
comment.”344
At the outset of the SORN, DOJ notes that if a comment meets all requirements “as
determined by DOJ or the component publishing the rulemaking, the comment will be posted on
the Internet at the FDMS Web site.”345 The SORN also confirms that the names, identifying
information, and full text of all comments will be available for public viewing, but that
“[c]ontact information (e-mail or mailing address) will not be available for public viewing,
unless the submitter includes that information in the body of the comment.”346
The possibility of redaction is mentioned in the SORN, which notes that a component of
DOJ “may choose not to post certain types of information contained in the comment submission,
yet preserve the entire comment to be reviewed and considered as part of the rulemaking
docket.”347 In particular, the SORN cites “material restricted from disclosure by Federal statute”
as the type of information that would be withheld but still considered during the rulemaking
process.348
In regard to contesting possible records, DOJ notes that individuals who seek to contest
or amend the information “should direct their requests to the appropriate system manager at the
address indicated in the System Managers and Addresses section . . . stating clearly and
concisely what information is being contested, the reason for contesting it, and the proposed

344

Privacy Act of 1974; System of Records, 72 Fed. Reg. 12,196, 12,917 (Mar. 15, 2007).
Id. at 12,196.
346
Id. at 12,916.
347
Id.
348
Id.
345

82

amendment to the information sought.”349 The Systems Managers listed include a manager for
policy issues and one for technical issues.350
h.

U.S. Department of Labor

The U.S. Department of Labor (DOL) has a published SORN which covers “any
individuals who provides personal information when submitting a public comment and/or
supporting materials in response to” rulemaking.351 Interestingly, this SORN has the exact same
privacy notice regarding the Federal Docket Management System as DOD regarding the public
nature of all comments received and confirming that a comment is searchable by the submitter’s
name.352 The language of the two agencies’ SORNs is virtually indistinguishable.
i.

U.S. Department of the Treasury

The U.S. Department of the Treasury’s (Treasury) published a new e-Rulemaking SORN
in January 2020.353 Treasury begins the SORN by referencing the possible redaction or
withholding of certain comments:
During an informal rulemaking or other statutory or regulatory notice and
comment process, Department personnel may manually remove a comment from
posting if the commenter withdraws his or her comments before the comment
period has closed or because the comment contains obscenities or other material
deemed inappropriate for publication by the Treasury. However, comments that
are removed from posting will be retained by the Department for consideration, if
appropriate under the APA.354

349

Id. at 12,198.
Id.
351
Privacy Act of 1974; System of Records, 84 Fed. Reg. 57,484 (Oct. 25, 2019).
352
Id. at 58,486; see also supra note 342 and accompanying text.
353
Privacy Act of 1974; System of Records, 85 Fed. Reg. 1,198 (Jan. 9, 2020).
354
Id.
350

83

Treasury notes, however, that other comments are “timely publish[ed] on a website to provide
transparency in the informal rulemaking process” under the APA.355
Treasury also explains, when detailing the information collected by the system of records,
that commenters sometimes include personal information:
Comments or input submitted to Treasury may include the full name of the
submitter, an email address and the name of the organization, if an organization is
submitting the comments. The commenter may optionally provide job title,
mailing address and phone numbers. The comments or input provided may
contain other personal information, although the comment submission instructions
advise commenters not to include additional personal or confidential
information.356
However, Treasury is not as explicit regarding the public and permanent nature of online
comments as other agencies are in their SORN language. Treasury also includes little detail
regarding challenges to withholding or disclosure, directing individuals who seek to contest
records to inquire with “individual Treasury components.”357
j.

U.S. Department of Transportation

DOT has numerous SORNs, including DOT/ALL 14 for public rulemaking dockets
maintained on the Federal Docket Management System.358 The DOT SORN includes little detail
regarding the mandatory disclosure of public comments, though it notes that the comments are
stored “electronically on a publicly accessible website” and are “freely available to anyone.”359
All queries are directed towards the DOT Dockets Program Manager, with no additional details
regarding procedures to challenge disclosure or withholding.360

355

Id.
Id. at 1,199.
357
Id. at 1200.
358
Privacy Act of 1974; Systems of Records, 73 Fed. Reg. 3,316 (Jan. 17, 2008).
359
Id.
360
Id.
356

84

k.

U.S. Department of Veterans Affairs

DVA is explicit to note that “the portion of VAFDMS information that comes under the
Privacy Act is personal identifying information (name and contact address/email address).”361
Not only is this used by DVA to identify commenters, as it notes, but it is also used to allow
“clarification of the comment, direct response to a comment, and other activities associated with
the rulemaking or notice process.”362 As with the other agencies above, only commenters who
voluntarily provide their names and contact information are covered by the SORN.363
DVA uses similar language to many other agencies when describing which comments
will result in the name and contact information of the submitter being displayed:
Unless the individual submits the comment anonymously, a name search will
result in the comment being displayed for view. If the comment is submitted
electronically using www.Regulations.gov, the viewed comment will not include
the name of the submitter or any other identifying information about the
individual except the information that the submitter has opted to include as part of
his or her general comment. If a comment is submitted in writing, the information
scanned and uploaded into VAFDMS will contain the submitter’s name, unless
the individual submits the comment anonymously. All comments received will
become a matter of public record and will be posted without change to
www.regulations.gov including any personal information provided.364
The DVA also notes in the SORN that “personal information about the commenter” may
be included in the FDMS.365

361

Privacy Act of 1974; Systems of Records, 82 Fed. Reg. 35,872 (Aug. 1, 2017).
Id.
363
Id.
364
Id. at 35,873.
365
Id.
362

85

l.

Discussion

There is no doubt that regarding a few areas, SORNs provide some degree of notice to
the public about agency policies with respect to protected information. In particular, most
SORNs emphasize that if a name is provided by the commenter, his or her comment will be
publicly searchable online. This information is important, because while website disclaimers and
NPRMs mention the public availability of comments, no other notice but the SORNs explicitly
detail the fact that comments will be searchable by and associated with the commenter’s name,
regardless of what language is included in the comment. Additionally, a few SORNs, including
that of the Treasury, explain that even comments removed from the public rulemaking record
will be included in the required rulemaking docket submitted for judicial review under the APA.
At the same time, SORNs lack important information regarding public disclosure of
comments. In particular, because SORNs are only required for systems of records that are
searchable by name or other personal identifiers, they generally focus only on comments where a
submitter has voluntarily provided their own contact information—not where a submitter may
have attempted to comment anonymously but inadvertently revealed important details about
themselves in the body of the comment. SORNs focus mostly on contact information without
providing any detailed guidance regarding PII or CBI.
In addition, SORNs are not easy to find. Unlike the NPRMs, which most commenters
likely to consult before leaving a comment, SORNs are often included on one isolated page of an
agency’s website (which contain lists that are sometimes incomplete and hard to reference) and
published infrequently in the Federal Register when updates are necessary. The fact that
agencies have their own classification methods regarding systems of records adds to the
confusion. While the agencies mentioned above explicitly refer to electronic rulemaking and
86

comments in their SORNs, other agencies may rely on general correspondence SORNs to cover
this category of records. Although the SORNs provide important information about policies
regarding handling of comments, commenters are less likely to encounter them than they are to
encounter NPRMs or notices on an agency web page.
5.

Surveys, Negotiated Rulemakings, Ex Parte Communications, and Regulations
The survey conducted by the research team also identified a number of other methods

that agencies use to communicate their policies with respect to disclosing and withholding
protected information. Four agencies reported giving advance guidance regarding their policies
with respect to protected materials when administering surveys. Two agencies provided the
detail that they included that notice within the survey instrument itself
Two agencies reported that they provide advance notice regarding their policies of
submitting CBI and PII before information is submitted during a negotiated rulemaking,
although neither agency provided any detail about their specific practices. One interview subject
similarly reported giving such disclosures, but was surprised by how much proprietary
information participants disclosed.
Two other agencies reported that they provide advance guidance as to their policies
regarding the disclosure of protected materials in ex parte communications, but neither agency
chose to elaborate on the precise nature of that advanced guidance.
One survey response also cited general reliance on its publicly available agency
regulations on disclosure as advance guidance and notice to parties potentially submitting

87

information. Similar references occur in NPRM language issued by the FTC366 and the CFTC367
and in language provided by the FDA in the “Alternative Ways to Comment” link in
Regulations.gov.368
Still another agency reported including an additional statement regarding the submission
of information on the page of its website where it provides a link to Regulations.gov. As noted
above, the FCC also provides guidance on other portions of its website.369 NPRMs issued by the
EPA similarly point to guidance on its website.370
B.

Type and Frequency of Submission of Protected Materials
Another section of the survey sent to agencies was designed to measure the types of

protected materials they received and with what frequency. Agencies were asked separately
about CBI and PII. They were also asked how often they encounter protected materials about
third parties on a scale from 0 to 10, as shown in Figure 10.
Figure 10

The caption above this scale characterizes 0 as “never” and 10 as “Every time CBI is submitted.”
The natural way to read this scale is to interpret a response of 0 as 0% of the time and to interpret

366

See supra notes 236 and accompanying text.
See supra notes 246–247 and accompanying text.
368
See supra notes 265–267 and accompanying text.
369
See supra notes 285–287 and accompanying text.
370
See supra notes 243–244 and accompanying text.
367

88

a response of 10 as 100% of the time, with each number in between corresponding to a 10%
increase in frequency.
1.

Confidential Business Information (CBI)
The first portion of the survey asked agencies what types of CBI they encountered over

the course of rulemaking. The survey responses to are summarized in Table 4:
Table 4: Types of CBI Encountered in Rulemaking Proceedings
Type
Total affirmative responses
Trade secrets
Financial regulatory information
Other

Responses
13
7
6
8

Thirteen of the 27 survey responses (48%) and 11 of the 23 agencies responding to the
survey (41%) indicated that they receive sometime of CBI in rulemaking proceedings. Three
interview subjects indicated that CBI can interfere with ability to justify rules, as the obligation
not to disclose that information to the public effectively forecloses the agency from relying on it
as the basis for its action. One agency noted that commenters request CBI status only a handful
of times a year. Another agency reported that the increasing competitiveness of the business
environment have caused requests for confidentiality to increase.
Of the 13 agencies that reported encountering some type of CBI during rulemaking
proceedings, 7 agencies reported that they encountered trade secrets (26% of all submissions,
54% of submissions reporting encountering CBI); 6 agencies reported that they encountered
financial regulatory information, such as Form 8-Ks and 10-Ks (22% of all submissions, 46% of
submissions reporting encountering CBI); and 8 agencies reported that they received “Other
kinds of CBI” (30% of all submissions, 62% of submissions reporting encountering CBI).
89

Agencies reported encountering the following five types of CBI as falling within this catchall
category, with the frequency indicated in parentheses:
•
•
•
•
•

Strategic documents (2).
Personal bank account and financial information, including bank statements (2).371
Pricing, cost, operational and revenue data and methodologies (1)
Marketing and sales information (1).
Financial data that does not satisfy the legal definition of a “trade secret” (1).

One of the agencies indicating that it received strategic documents described them as including
competitive strategy and market share.
The survey also asked agencies how often they encountered CBI about a third party. The
results are reported in Table 5.
Table 5: Frequency with Which Agencies Encounter CBI about Third Parties in
Rulemaking Proceedings
Frequency
Never
10% of the time
20% of the time

Responses
8
3
2

When asked how often this information was about a third party, 8 of the 13 respondents
who reported encountering CBI replied that they never receive CBI about a third party (30% of
all submissions, 62% of submissions reporting encountering CBI). Three agencies rated the
frequency of receiving CBI from a third party as a 1 on a scale of 1 to 10 (11% of all
submissions, 23% of submissions reporting encountering CBI), and 2 agencies reported it as a 2
(7% of all submissions, 15% of submissions reporting encountering CBI). If these data points are
combined to form a weighted average, the survey responses suggest that the average agency

371

Note that in some situations, personal bank information and bank statements may also be considered PII. In this
context, the agencies submitted these answers in the section regarding CBI, so Table 5reports their answers as
received.

90

encounters CBI about third parties roughly 5% of the time. As explored below, agencies report
that they encounter CBI about third parties much less frequently than PII about third parties.
2.

Personally Identifiable Information (PII)
The research team asked agencies what types of PII they encounter during rulemaking

proceedings. The survey responses are summarized in Table 6:
Table 6: Types of PII Encountered in Rulemaking Proceedings
Type
Total affirmative responses
Social Security numbers
Medical information
Other

Responses
17
8
7
15

Seventeen of the 27 survey submissions (63%) and 16 of the 23 agencies responding to
the survey (69%) indicated that they receive some type of PII in rulemaking proceedings. Of the
17 agencies that reported encountering some type of PII during rulemaking proceedings, 8
agencies reported encountering Social Security numbers (35% of all submissions, 47% of
submissions reporting encountering PII); 7 agencies reported encountering medical information
during rulemaking (30% of all submissions, 41% of submissions reporting encountering PII);
and 14 agencies reported that they received “Other kinds of PII” (61% of all submissions, 82%
of submissions reporting encountering PII). Agencies reported encountering the following 6
types of PII as falling within this catchall category, with the frequency indicated in parentheses:
•
•
•
•
•

Contact information (including names, home addresses, phone numbers, and email
addresses) (10).
Dates of birth (4).
Employment/salary information (2).
Marital status (1).
Information about dependents (1).
91

•
•
•

Alien registration number (1).
Photocopies of passports, bank statements, and drivers’ licenses (1).
Information about security clearances (1).

The survey also asked agencies who reported receiving PII how often they encountered
PII about a third party. The results are reported in Table 7.
Table 7: Frequency with which Agencies Encounter PII about Third Parties in Rulemaking
Proceedings
Frequency
Never
10% of the time
20% of the time
30% of the time
40% of the time
90% of the time

Responses
6
2
4
1
1
3

Six of the 17 respondents (35%) and 16 agencies who responded to this question stated
that they never receive PII about a third party. Two agencies (12%) rated the frequency of
receiving PII from a third party as a 1 on a scale of 1 to 10; 4 agencies (24%) rated it as a 2; 1
agency (6%) rated it at a 3; 1 agency (6%) rated it as a 4; and 3 agencies (17%) rated it as a 9. If
these responses are combined to form a weighted average, the survey responses suggest that the
average agency encounters PII about a third party 16% of the time.
The type of PII that agencies encounter clearly depends on the subject matter under their
jurisdiction. For example, one agency with jurisdiction over a subject matter that does not
routinely implicate personal matters reported that it did not recall ever receiving PII about a third
party, while agencies whose authority directly covers subject matter that almost always involve
PII report much higher frequencies.
The survey responses suggest that information about third parties is submitted far more
frequently for PII than CBI. Agencies generally recognized that screening for certain types of
92

PII, such as Social Security numbers, is relatively straightforward. Two agencies expressed
concern about the ability to screen for other types of third-party information.
C.

Agency Processes for Dealing with Protected Materials
A number of survey and interview questions were designed to learn more about agencies

processes for dealing with protected materials. Prominent issues included the frequency and
standards used for screening for CBI and PII, procedures for reviewing requests for
confidentiality, techniques of facilitating meaningful review of protected materials, and
procedures for challenging decisions regarding protected materials.
1.

Frequency of Screening for CBI and PII
The survey asked respondents whether their agency screened information submitted for

CBI and PII. The results are summarized in Table 8.
Table 8: Whether Agency Screens for CBI and PII
Type
Yes
No

Responses
13
5

Of the 18 responses representing 17 agencies that answered the question, 13 reported that
they screen some submissions for CBI and PII (72%), while 5 indicated that they did not (28%).
Two survey responses affirmatively indicated that they conduct no screening of public comments
in the absence of a confidentiality request. One of the responses who indicated that they screened
for CBI/PII clarified that they did not screen public comments, only other types of submitted
information.

93

The survey also asked what methods these agencies used to screen comments for CBI and
PII. The results are summarized in Table 9.
Table 9: Methods for Screening for CBI and PII
Type
Total affirmative responses
Agency employees
Independent contractor
Artificial intelligence
Other

Responses
9
8
4
1
0

Eight of the 9 agencies (89%) who answered questions about who performed the
screening reported using agency staff to screen dockets. Four agencies reported using contractors
(44%). Only 1 agency reported relying on using artificial intelligence (AI) to screen (11%). One
agency reported that “most” agencies have docket scanners, either contractors or staff, who
screen for PII and then exclude it from the docket. One agency reported that secretary’s office or
the web group performs screening for the agency instead of the rulemaking staff.
Agencies have reported changes in their screening methods over time. For example, 1
agency described feeling “disconnected” from the commenting process when contractors
managed the docket and switched back to using agency staff to obtain a better feel for the timing
and the substance of the comments. Another agency reported that they are currently considering
using AI to screen for confidential and personal information along with abusive comments.
The survey also asked how frequently agencies excluded comments containing CBI and
PII from their public rulemaking dockets. The results are summarized in Table 10.

94

Table 10: Frequency with Which Agencies Exclude PII or CBI from Public Rulemaking
Dockets
Frequency
Never
10% of the time
20% of the time
50% of the time
70% of the time
90% of the time

Responses
3
7
3
2
1
1

Three of the 17 survey respondents (18%) reported that they never receive PII or CBI
from a public rulemaking docket. Seven respondents (41%) reported making such exclusions
10% of the time. Two respondents (12%) reported making such exclusions 20% of the time,
while another 2 (12%) reported doing so 50% of the time. Finally, 1 survey respondent (6%)
reported making such exclusions 70% of the time, while another 1 respondent (6%) reported
doing so 90% of the time. If these responses are combined to form a weighted average, the
survey responses suggest that the average agency excludes PII or CBI 23% of the time. The
skewness of the distribution suggests that certain agencies make such exclusions much more
frequently than others.
Because Regulations.gov and other websites allow electronic filing, however, some
agencies expressed concerns that requiring screening or scrubbing of every comment for CBI or
PII would “paralyze” the system by focusing all agency resources towards screening comments
and slowing down rulemaking. As explored below, this worry of additional burden permeated
most conversations the research team had with agencies.
2.

Standards for Screening for CBI and PII
Regarding the substance of screening criteria, one interview subject indicated that it has

no written policy. Most agencies reported giving screeners some level of guidance as to how to
95

screen for CBI and PII. The guidance varied in its level of specificity. Five agencies reported
specifically instructing screeners to redact information such as Social Security numbers, dates of
birth, driver’s license and other similar identification numbers, passport numbers, financial
account numbers, and credit/debit card numbers. Two agencies advise staff to redact addresses
and phone numbers. One agency reports advising staff to redact medical records. One agency
advises staff screening for CBI to look for copyrighted materials, trade information, and
commercial and financial information.
Up until 2015, the FDA did not publicly post comments submitted by individuals in their
individual capacity on Regulations.gov—only comments of those representing organizations,
corporations, or other entities.372 When the FDA changed this long-standing practice in 2015, it
cited “transparency and public utility of FDA’s public dockets” as the major reason for the
change.373
But the FDA provided another important notice when announcing this change. It
explained that the process of routinely reviewing all comments for “obvious confidential
information” is “no longer feasible given the volume of comments FDA receives and the
adoption of a government-wide electronic portal system for submitting and posting
comments.”374 The FDA’s initial reason for withholding individual comments was based largely
on the concern of inadvertent personal disclosure by commenters.375 In light of this new policy,
the FDA explains:
The commenter is solely responsible for ensuring that the submitted comment
does not include any confidential information that the commenter or a third party

372
Consumer Comments—Public Posting and Availability of Comments Submitted to Food and Drug
Administration Dockets, 80 Fed. Reg. 56,469 (Sept. 18, 2015).
373
Id.
374
Id.
375
Id.

96

may not wish to be posted, such as private medical information, the commenter’s
or anyone else’s Social Security number, or confidential business information,
such as a manufacturing process. If a name, contact information, or other
information that identifies the commenter is included in the body of the submitted
comment, that information will be posted on http://www.regulations.gov. FDA
will post comments, as well as any attachments submitted electronically, on
http://www.regulations.gov, along with the State/Province and country (if
provided), the name of the commenter’s representative (if any), and the category
selected to identify the commenter (e.g., individual, consumer, academic,
industry).376
The FDA also describes a confidential submission process, the details of which will be
published in the NPRMs appearing in the Federal Register:
The Agency expects that only in exceptional instances would a comment need to
include private, personal, or confidential information. If a comment is submitted
with confidential information that the commenter does not wish to be made
available to the public, the comment would be submitted as a written/paper
submission and in the manner detailed in the applicable Federal Register
document. For written/paper comments submitted containing confidential
information, FDA will post the redacted/blacked out version of the comment
including any attachments submitted by the commenter. The unredacted copy will
not be posted, assuming the commenter follows the instructions in the applicable
Federal Register document. Any information marked as confidential will not be
disclosed except in accordance with § 10.20 (21 CFR 10.20) and other applicable
disclosure law.377
The screening processes employed by other agencies tend to be rather informal. Four
agencies described a brief screening process for CBI and PII that did not appear to follow any
specific set of guidelines. Those agencies were merely on the lookout for “sensitive” or
“confidential” information. Another agency reported that while they have no written policy
regarding what to do when confronted with a comment containing potentially sensitive
information, they generally tend to block out Social Security numbers for Regulations.gov. One
agency explained that when encountering third-party information, a staffer’s immediate first

376
377

Id. at 56,469-70.
Id. at 56,470.

97

action would be to designate the comment as “do not post” and start a process of evaluation with
FOIA counsel. A lack of “resources,” as one agency explained, has also led at times to very
infrequent application of certain informal policies: 100,000 comments are much less likely to get
scrutinized for sensitive information, for example, than ten comments. A few interview subjects
also noted that though they may screen comments on Regulations.gov, they may still include that
information in some form on the administrative record.
Only 1 survey respondent reported offering formal training for screening staff. That
agency reported conducting mandatory privacy training annually for all agency staff and
additional individual training for all docket staff on how to recognize and redact PII. That agency
further provided agency experts and attorneys who could work with docket screening staff to
consult on CBI and PII issues. As noted above, the SORN for the CFTC also specifically
requires annual privacy and security training.378
Regarding the need for such guidance, agency views were mixed. On the one hand, one
interview subject expressed concern about individual agency staff basing decisions regarding
redaction on their own conception of what should be private. Another interview subject
expressed support for the idea of giving agency staff guidance as to what information should be
withheld. On the other hand, a third interview subject reported that his agency does not see the
need for more policies.
3.

Procedures for Reviewing Requests for Confidentiality
As noted earlier, the research team’s review of the NPRMs employed by agencies

examined disclosed that 8 of the 43 agencies’ (19%) NPRMs disclosed to commenters the

378

See supra notes 329 and accompanying text.

98

opportunity to request treating portions of their comments as confidential.379 Two of the 27
survey responses (7%) indicated the same.
In some cases, agency regulations reveal how those requests are handled. FTC’s NPRM
notes FTC Rule 4.9 gives the authority to decide whether to grant a request for confidential
treatment up to the General Counsel.380 Rule 4.9(c) specifies that “[t]he General Counsel or the
General Counsel’s designee will act upon such request with due regard for legal constraints and
the public interest” and that no material contained in such a request “will be placed on the public
record until the General Counsel or the General Counsel’s designee has ruled on the request for
confidential treatment and provided any prior notice to the submitter required by law.”381
As noted earlier, the NPRMs issued by the CFTC point to agency rules that describe a
slightly more extensive process for handling requests for confidential treatment.382 The rules
assign the responsibility for making the initial determination to the Assistant Secretary for FOI,
Privacy and Sunshine Acts Compliance or his or her designee.383 The Assistant Secretary or his
or her designees must inform commenters who have their request for confidential treatment
denied in whole or in part of their right to appeal that decision to the CFTC General Counsel.384
Any such appeal must be made in writing and must be decided within 20 days.385 The General
Counsel may refer appeals to the full Commission.386
Some interview subjects offered that these systems can be abused and that agencies often
find themselves in situations where they are pushing back against overinclusive confidentiality

379

See supra Part II.A.1.c.
See supra note 236 and accompanying text.
381
16 C.F.R. § 4.9(c)(1).
382
See supra note 247 and accompanying text.
383
17 C.F.R. § 145.9(f)(1).
384
Id. § 145.9(f)(2).
385
Id. § 145.9(g)(1), (7).
386
Id. § 145.9(g)(3).
380

99

requests from businesses. As a few agencies expressed in interviews, oftentimes businesses
handing over information request confidentiality to the point where it is “impossible” to go
through the documents and information page by page to decide what is confidential. Some
companies have begun requesting confidentiality for almost everything they file, even in
situations where much of the information being submitted is not “competitively sensitive.”
Another agency noted that many items “marked as confidential business information” by the
submitter come from law firms.
Interview subjects report that agency staff who want to rely on certain information in
writing an order can struggle when that information is confidential. Dissatisfied with the
admonition, “Trust us based on an appendix we included that you cannot see,” members of the
public often push back through FOIA requests and other litigation. Because of this, one agency
actually explained that it seeks to dampen or eliminate confidential comments, if possible. The
more public information, after all, makes for easy rule-writing decisions.
One agency noted that assertions of confidentiality are growing more frequent and
described the lengthy process it must undergo to challenge an assertion of confidentiality: when a
party requests confidential treatment, it is treated as such until the agency rules otherwise. If the
agency does rule otherwise, the party has another ten business days to seek review by the full
commission, and then ultimately has ten days to seek a stay in court. Only after that whole
process has run its course is the purported confidential information made public. While this
agency is sensitive to the fact that once CBI is made public, it is public forever, it notes how
“cumbersome” and at times “paralyzing” the process can be.

100

4.

Techniques for Facilitating Meaningful Public Comment on Protected Materials
Agencies that withhold protected materials must confront another a problem: how do they

report enough information to explain their rulemaking processes while still protecting
commenters’ privacy? The survey specifically asked agencies what techniques they used to
facilitate meaningful public comment regarding CBI and PII that have been withheld. The results
are summarized in Table 11.
Table 11: Techniques for Facilitating Meaningful Public Comment Regarding CBI and PII
That Have Been Withheld
Type
Total affirmative responses
Redaction
Aggregation
Anonymization
Other

Responses
11
8
6
5
2

Of the 11 responses to this question, 8 agencies (73%) indicated that they used redaction.
Six agencies (55%) said that they employed aggregation. Five (45%) relied on anonymization. 2
(18%) used other means: specifically redacting only the name and address and contacting the
submitter to request withdrawal of the comment.
The survey indicates that redaction is the most common technique that agencies use to
balance their obligation to disclose as much information as possible against their duty to
protecting certain types of information. But redaction can present problems: as one agency
explains, there are some types of information where other facts can be inferred if the public is
given pieces.387 Another agency explains that it uses redaction to protect information in

387

This mirrors the analysis under FOIA Exemption 4.

101

comments, but if a court had an issue with a redacted comment, it would seek a protective order.
According to that agency, no court has ever had an issue with a redacted comment so long as it
was able to review the unredacted document in camera.
The second most common technique is aggregation. As explained by one agency,
aggregation can be used to protect information from disclosure to the government as well as to
the public. This agency retains outside private consultants operating under nondisclosure
agreements to gather information from a variety of companies and uses the aggregated data to
create a spreadsheet that is submitted to the government. By virtue of this aggregation process,
no other information can be disclosed to the public even after a FOIA request. Aggregation is not
limited to data, either. Another agency explained that it will not always post every comment or
the exact language of every comment when explaining a Final Rule, but will explain that it
received a certain number of comments with the same general message. This is especially
common in group filings, where a large number of people will all submit one comment together.
Five agencies use anonymization, such as reporting comments without indicating who
left the comment. Note that Regulations.gov, which a vast majority of agencies use to collect
comments, does not require commenters to submit a name. The SEC and FCC comment
websites, on the other hand, do require names. Even for these websites, however, “Anonymous”
or another pseudonym can be used to leave comments, though it is unclear the extent to which
agencies who require names review these comments.
Interviews with agency officials revealed still other techniques. One agency includes
smaller parts of confidential information in a public docket or notice of a final rule so that they
can include it in their analysis. Another agency files some aspects of the record under seal. In
that situation, the sealed information can be disclosed as part of the record without the agency

102

having to say exactly what it was. Still, in these cases there is still undisclosed information that
the public cannot see.
5.

Procedures for Challenging Decisions to Disclose or Withhold Protected Materials
The survey asked respondents whether their agency has a review process for challenging

decisions regarding the disclosure or withholding of CBI or PII from its public rulemaking
docket. The results are summarized in Table 12.
Table 12: Whether the Agency Has a Review Process for Challenging Decisions Regarding
the Disclosure or Withholding of CBI or PII from Its Public Rulemaking Docket
Type
Process for Challenging Disclosure
Process for Challenging Withholding

Responses
6
4

Six of the 7 agencies that responded to this question (86%) indicated that they had a
process for challenging decisions regarding disclosure, while 4 (57%) indicated that they had a
process for challenging decisions regarding withholding. A closer look at these survey responses
reveals that three agencies have a set process to challenge disclosure, one agency has a set
process for challenging withholding, and three agencies have set processes for both.
Of the 4 agencies with processes to challenge withholding, 2 rely on the Freedom of
Information Act (FOIA) request and appeal process, 1 applies a similar process that allows
challenges of withholding decisions via motion, and 1 agency has a specific codified process that
relies, in part, on FOIA interpretations.
Of the 6 agencies that have set processes for challenges regarding the decision to
disclose, 1 agency allows requests to remove comments from the docket. Ombudsmen are often
available at agencies to help with general complaints, and agency interviews indicated that
103

contacting the Ombudsman would be a proper avenue to request that PII contained in a comment
to be taken down. One agency allows commenters to comment and request that his or her PII be
displayed, if it was redacted.
The survey also included questions about how frequently these types of challenges are
brought. The results are summarized in Table 13.
Table 13: Frequency with Which Commenters Challenge Decisions Regarding Disclosure
and Withholding of CBI or PII
Frequency
Never
10% of the time
20% of the time

Disclosure
12
2
1

Withholding
12
2
1

Twelve of the 15 agencies (80%) that responded to this question indicated that challenges
to decisions about both disclosure and withholding never occur. Two of the 15 agencies (13%)
reported that challenges to decisions about both disclosure and withholding occur 10% of the
time. One of the 15 agencies (7%) reported that challenges to decisions about both disclosure and
withholding occur 20% of the time, with those challenges focusing on CBI, not PII. If these data
points are combined to form a weighted average, the survey responses suggest that the average
agency faces challenges to disclosure and withholding with about the same frequency and that
each occurs roughly 3% of the time.
A major thread throughout our interviews was the ability of agencies to both facilitate
meaningful public comment and explain their regulations made partially on CBI or PII. But
when information is withheld, it can pose problems for agencies attempting to satisfactorily
justify their decisions under a 5 U.S.C. § 553(c) general statement or when undergoing arbitrary
and capricious review under 5 U.S.C. § 706(a). As one agency put it when the research team

104

interviewed them, when some data is classified, what should it do if it has information justifying
a regulatory decision that it cannot make public?

III.

FINDINGS AND RECOMMENDATIONS
The legal analysis and empirical assessment of existing agency practices suggest that

agencies are making sincere efforts to strike the proper balance between the duty to make
government decisionmaking processes as open and transparent as possible on the one hand and
the recognized need to protect certain types of sensitive materials on the other hand. Agency
practices with respect to protected materials, reflect considerable variation.
The public rulemaking process would likely benefit from greater harmonization of
practices across agencies with respect to policies regarding protected materials. At the same
time, differences in the frequency with which agencies encounter CBI and PII and variations in
the extent to which agencies depend on access to these materials in order to fulfill their mission
favor according agencies a considerable degree of flexibility in striking the proper balance
between their duties to disclose and withhold protected materials.
A.

Recognition of a Strong Default Presumption in Favor of Disclosure
As noted earlier,388 all decisions regarding the treatment of protected materials must

proceed from, in the words of the Supreme Court, a “strong presumption in favor of disclosure
[that] places the burden on the agency to justify the withholding of any requested documents.”389

388

See supra notes 156–158 and accompanying text.
U.S. Dep’t of State v. Ray, 502 U.S. 164, 173 (1991); accord Dep’t of Air Force v. Rose, 425 U.S. 352, 360–61
(1976) (recognizing that FOIA’s “basic purpose reflected ‘a general philosophy of full agency disclosure unless
information is exempted under clearly delineated statutory language’” (quoting S. REP. NO. 89-813, at 3 (1965)).
389

105

The interest in disclosure is particularly strong in the context of rulemaking, where information
about commenters, such as their names and addresses, can greatly contribute to the public’s
understanding of government processes.390 Agency policies should thus favor disclosure of
protected materials in the absence of a strong justification for protection.
However, there may be some instances where an agency feels it must withhold material
information, whether it involves situations in which third-party PII was submitted and is relied
upon or cases in which CBI is ultimately crucial to the decision making process. In those
situations, if redaction, anonymization, and aggregation would not be sufficient, the statement of
basis and purpose accompanying the final rule required by the APA391 should inform the public
of the general nature of the information being withheld.
B.

The Inclusion of Language in All NPRMs Disclosing Agency Policies Regarding
Protected Materials
NPRMs represent the document that members of the public are most likely to consult

before submitting their comments. Indeed, it is hard to imagine how someone could offer
relevant comments to a rulemaking proceeding without referring to the material presented in the
NPRM.
The research into agency practices suggests that NPRMs represent agencies’ primary
mechanism for informing prospective commentators about their policies with respect to
protected materials. Although the NPRMs issued by the vast majority of administrative agencies
disclose some important aspects of these policies, they are far from uniform in this regard.

390
391

See supra notes 182–185 and accompanying text.
See supra note 22 and accompanying text.

106

Making sure that all NPRMs contain language addressing the issuing agency’s policies
on certain key issues would provide better notice and guidance to prospective commentators. The
key elements include
•
•

•
•
•
•

Notice about policies regarding publication of comments, such as whether they are
generally posted to the website without review and cannot be changed or whether
they are routinely screened before publication.
Specific guidance to avoid submitting PII in the body of comments unless the PII is
about the submitter and the submitter is completely aware of the disclosure
consequences. This guidance should explain that submitting PII entails a waiver of
the submitter’s privacy interest in that material.
Specific guidance not to submit CBI in comments unless using the available
alternative mechanisms for submitting confidential information, and notice that
submitting such CBI publicly likely entails a waiver of confidentiality.
Guidance about alternative mechanisms for submitting confidential information.
Notice that the agency reserves the right to redact any submissions in part or in full
when making comments available to the public.
Notice about opportunities to challenge decisions about disclosing or withholding
information submitted in comments and information about how individuals can avail
themselves of those processes.

Model disclosure language based on the best current agency practices appears in
Appendix D. Agencies should have wide latitude to modify these disclosures to fit their
particular needs.
C.

The Inclusion of Language on Comment Submission Websites Disclosing Agency
Policies Regarding Protected Materials
Websites that accept comments in public rulemaking proceedings should provide notice

about the same policy practices listed in the discussion of NPRMs. Sample language, adapted
from language appearing at the bottom of the comment submission page on Regulations.gov,
could read:
Any information (e.g., personal or contact) you provide on this comment form or
in an attachment may be publicly disclosed and searchable on the Internet and in a
paper docket and will be provided to the Department or Agency issuing the
notice. Do not submit information whose disclosure is restricted by statute,
such as trade secrets or commercial and financial information, via [the online
107

commenting platform]. Do not submit sensitive personal information, such as
social security numbers or banking information, or confidential business
information, such as trade secrets, via [the online commenting platform]. To
view any additional information for submitting comments, such as anonymous or
sensitive submissions, refer to the [link to detailed information about submitting
paper or email comments], the Federal Register notice on which you are
commenting, and the [Web site of the Department or Agency].
This language places the key warnings on the primary comment page and simplifies the
current disclosure by replacing dual links to the “Privacy Notice” and the “User Notice” with a
single notice at the bottom of the page. The inclusion of this language and the retention of the
link for “Alternate Ways to Comment” gives agencies flexibility in tailoring these notices to their
particular circumstances. Although other critical information remains hidden behind a link, it
presents the most important information in a way likely to be read by potential commenters
without overburdening them. Although pop-up notices of the type employed by the Federal
Reserve are better at ensuring that the notice is seen by commenters, they may present a burden
that reduces the total number of comments—however, given the relative ease of incorporating
pop-ups on an agency websites, they still ensure a significant amount of commenters at least see
the notice.
D.

The Provision of Guidance on How to Submit Comments Containing Confidential
Information and the Possible Creation of a Process for Online Submission
One of the most striking areas where agency practices differed is with respect to

disclosure of methods other than general online comments that permit the submission of
confidential information. As noted earlier, the review of NPRMs issued by agencies examined
indicated that only 21% included language about alternative submission systems.392

392

See supra Table 2.

108

In addition, 4 agencies require that comments containing requests for confidential
treatment must be made in writing.393 Continuing reliance on paper submission runs counter to
the mandates in the E-Government Act of 2002 and Executive Order No. 13,563 to promote
online submission of rulemaking comments.
As noted above, agencies should make sure that their NPRMs and comment submission
websites provide adequate guidance regarding alternative mechanisms for submitting
confidential information.394 The mechanism can reflect either of the two primary mechanisms for
permitting the submission of protected information: (1) the inclusion of a prominent notice at the
top of the comment along with identification of the information to be reacted395 or (2) the
submission of both redacted and unredacted versions of the comment.396
In addition, comment submission websites should consider redesigning their submission
pages to enable commenters submit confidential information without waiving confidentiality.
E.

The Lack of Clear Benefit from Revising SORNs to Include Policies Regarding
Protected Materials
Many of the arguments for including information regarding policies regarding protected

materials in NPRMs and comment submission websites also apply to SORNs. Some agencies
indicated that they relied on SORNs to inform prospective commenters about their policies.397 In
addition, the survey of SORNs regarding docket management systems revealed that the specific

393

See supra notes 236, 241, 244 and accompanying text.
See supra Part III.A–B.
395
See supra notes 236, 239 and accompanying text.
396
See supra notes 240, 244 and accompanying text.
397
See supra Table 1.
394

109

practices disclosed varied widely, even including disclosures that are not made elsewhere, and
might benefit from greater uniformity.398
Other considerations make SORNs unlikely candidates for informing the public. The
statutory definitions limiting SORNs to systems searchable by name or other personal identifiers
make them poorly situated to protect materials submitted in anonymous comments or submitted
about parties other than the commenter. The difficulty in locating SORNs makes commenters
more likely to consult NPRMs, agency websites, or agency regulations. As a result, revision of
SORNs to provide more complete disclosures of policies regarding protected materials is likely
to provide limited benefit. Because the SORNs provide significant detail regarding the
maintenance and use of information collected through commenting portals, the research team
also recommend referencing the SORNs in an NPRM.
F.

The Lack of Need to Screen Public Rulemaking Dockets for CBI When the
Commenter Has Not Requested Confidentiality
The analysis of the legal requirements suggests that agencies need not undertake

additional efforts to screen materials contained in public rulemaking dockets for CBI for which
the submitter has not requested confidential treatment. Separate issues are presented by CBI that
belongs to the party submitting the comment (called for purposes of this report “first-person
CBI”) and CBI that belongs to parties other than one submitting the comment (called for
purposes of this report “third-person CBI”).
Regarding first-person CBI, the standard for confidentiality established Supreme Court’s
recent 2019 decision in Food Marketing Institute v. Argus Leader Media399 essentially dictates

398
399

See supra Part II.A.4.m.
139 S. Ct. 2356 (2019).

110

that any CBI submitted in a rulemaking docket without a request for confidentiality is not
covered under FOIA Exemption 4. As noted earlier,400 this standard currently requires that the
information be both “closely held,” though the Court declined to determine whether it must be
disclosed only under express or implied assurances of nondisclosure in order be regarded as
confidential.401 When the agency has notified commenters that any CBI submitted in comments
without a request for confidential treatment will be disclosed to the public, subsequent disclosure
of CBI submitted without such a request does not constitute the type of forced breach of good
faith promises of nondisclosure by the government that Congress had in mind when it enacted
FOIA.402 In addition, clear warnings that any CBI submitted in comments without a request for
confidential treatment will be disclosed to the public would make any inference of assurances of
confidentiality unreasonable and would likely constitute a waiver of any rights to
confidentiality.403
Third-person CBI presents a somewhat more complicated question. The submission of
CBI without a request for confidentiality by someone other than the owner of that CBI can
hardly be considered a waiver. In addition, the failure to seek assurances of confidentiality for
the CBI can hardly be attributed to the owner when another party was responsible for making it
part of the rulemaking docket. However, the access that the submitter had to the third-party CBI
also indicates that the information may not be “closely held,” since other parties are aware of it,
thus making the information ineligible for exemption.

400

See supra notes 165–168 and accompanying text
139 S. Ct. at 2363–64.
402
See supra notes 99, 171 and accompanying text.
403
See supra note 172 and accompanying text.
401

111

That said, several judicial decisions suggest that screening for third-party CBI is
unnecessary. As noted earlier, courts have held that Food Marketing Institute’s first prong,
requiring that the information be customarily and actually keep private, applies only to
information originating from the CBI holder itself.404 In addition, courts have held that the
systems of records protected by the Privacy Act do not apply to information about a third party
contained in a record about another party.405 Finally, the survey conducted by the research team
suggests that rulemaking comments rarely contain CBI belonging to third parties.406
Agencies thus bear little burden to screen comments for CBI when the submitter has not
requested confidential treatment regardless of whether the comment includes first-party or thirdparty CBI. When commenters do affirmatively request confidential treatment of some material,
agencies should process those requests in accordance with their established policies.
G.

The Need to Screen All Docket Materials for Certain Types of PII, Possibly
Through Computerized Screening
Unlike CBI, the legal analysis suggests that agencies may have a higher obligation to

screen public rulemaking dockets for PII. This report addresses separately the issues presented
by PII associated with the party submitting the comment (called for purposes of this report “firstperson PII”) and the issues presented by PII associated with parties other than one submitting the
comment (called for purposes of this report “third-person PII”).
Regarding first-person PII, legal precedent and government policy support broad
disclosure. Federal law endorses a broad presumption in favor of disclosure, and the interest in

404

See supra note 169 and accompanying text.
See supra notes 125–126 and accompanying text.
406
See supra Table 5.
405

112

disclosure is particularly strong in the context of rulemaking.407 In addition, certain PII can be
important for the public to understand the relevance of particular comments.408 Finally,
commenters’ privacy interests are particularly weak (and may have been waived altogether)
when they have foregone available opportunities for confidential submission.409
But other considerations favor offering protection for PII in public rulemaking dockets in
certain contexts. Courts balancing the public’s interest in disclosure against individuals’ interest
in privacy found the latter particularly strong when disclosure would significantly increase the
risk of identity theft or some other similar harm.410 In addition, the judicial rules implementing
the E-Government Act of 2002 require courts to protect certain types of information, including
social security numbers, taxpayer-identification numbers, birthdates, names of individuals known
to be minors, and financial account numbers.411 FOIA cases have similarly blocked disclosure of
Social Security numbers, places of birth, dates of birth, dates of marriage, and employment
histories, though not explicitly in the rulemaking context.412 Disclosure of these types of
information would provide so little benefit to the public rulemaking process so as to render the
risks of invasion of personal privacy unjustified, and thus these specific categories of information
likely could be withheld, though the waiver submission indicates withholding is not required.
Judicial precedent under the E-Government Act reflects reluctance to expand beyond these
categories.413

407

See supra notes 156–158, 182–185, 388–390 and accompanying text.
See supra notes 184–186 and accompanying text.
409
See supra notes 187–189 and accompanying text.
410
See supra note 191 and accompanying text.
411
supra notes 72, 149–150 and accompanying text.
412
See supra notes 199–200 and accompanying text.
413
See supra note 151 and accompanying text.
408

113

The obligations to screen for third-party PII are even stronger. Although information
about third-parties falls outside the definition of system of records under the Privacy Act,414 it
can be protected against disclosure by FOIA Exemption 6 if the statutory criteria are met.415 Any
inferences of wavier from failure to request confidential treatment are clearly improper for thirdparty PII.416 In addition, the survey conducted by the research team suggests that comments
containing third-party PII represent a much more significant concern than comments containing
third-party CBI.417
These sources suggest that agencies may bear some obligation to screen all comments for
certain types of PII. Fortunately, these types of PII represent the type of repetitive pattern that is
particularly amenable to computer-based screening. Computer-based screening that identifies the
specific types of PII enumerated above and redacts that information (or flags it for manual
review) could significantly reduce the burden on agencies while still protecting the privacy of
commenters who mistakenly submit PII.
H.

The Benefits of Providing Guidance and Training to Agency Staff About Standards
for Determining What Materials Merit Withholding
The research into the substantive standards used to screen material submitted to public

rulemaking dockets revealed that only some agencies screen and that few have set standards
when determining what to redact. Some, but not all, agencies reported giving personnel
responsible for screening guidance regarding how to screen, and that guidance varied widely in

414

See supra notes 125–126, 405 and accompanying text.
See supra note 104, 108–112 and accompanying text. Note again that while it is not clear whether the FOIA
requires withholding of third-party PII, it is likely that such information could be disclosed if the agency felt that it
would contribute to public understanding of its actions and doing so would not constitute “a clearly unwarranted
invasion of personal privacy.” See supra Part I.C.6.b.
416
See supra note 190 and accompanying text.
417
See supra Tables 5, 7.
415

114

its level of specificity. Only 2 agencies reported requiring formal training of screening staff.
Some interview participants expressed concern that individual staff would base decisions on their
own conceptions of what is protectable.418
The adoption and distribution of clear standards for what constitutes protectable material
would appear to offer significant benefits in terms of promoting outcomes that are uniform and
consistent with the rule of law. As noted earlier, judicial decisions interpreting FOIA Exemptions
4 and 6 provide the best guides for substantive standards, although the E-Government Act of
2002 provides important insights for PII as well. The standards for CBI should largely follow the
Supreme Court’s recent decision in Food Marketing Institute v. Argus Leader Media.419 The
standards for PII should follow the list enumerated in the Section III.G.
Because of the inherent balancing involved in every FOIA decision, there are not clear,
universally recognized standards readily available for agencies to adopt. However, as explored in
the preceding section and as suggested by the categories of information protected by the rules
governing judicial disclosure issued under the E-Government Act of 2002, 420 agencies should
particularly consider including the following types of PII in their screening guidance:
•
•
•
•
•
•

Birth dates (leaving birth year disclosed).
Financial account numbers submitted by individuals.
The first five digits of Social Security numbers.
Places of birth.
Tax-payer identification numbers.
Specific street address (leaving zip code disclosed).

Agencies should also consider requiring periodic privacy training for all agency
personnel and specialized training for screening personnel.

418

See supra Part II.C.2.
139 S. Ct. 2356, 2363–64 (2019).
420
See supra notes 72, 149–150 and accompanying text.
419

115

I.

The Benefits of Providing Clear Internal and External Guidance on Agency
Procedures for Decisions Regarding Protected Materials
In addition to providing guidance to commenters regarding processes for asserting claims

of confidentiality, good administrative practice suggests that agencies should develop and
publicize their procedures for handling such claims.
As noted earlier, one agency confers the power to determine the protectability of claimed
material upon the General Counsel or her designee.421 Another agency assigns responsibility for
initial determinations to its Assistant Secretary for FOIA, Privacy and Sunshine Acts
Compliance and allows appeals of initial determinations to the General Counsel.422 Other
agencies rely on Ombudsmen to help resolve complaints about disclosure.
To date, challenges to agency decisions regarding confidentiality appear to be rare.423
Such processes are likely become more important should the pattern of seeking confidentiality
continue to increase in frequency, as one interview subject observed. Because challenges to
agency determinations regarding comments are rare, it is unclear which option explored above
regarding challenges is best. However, the research team recommends that each agency’s
website and NPRM designate at least one contact person for commenters to consult regarding
possible grievances with respect to withholding or disclosure.
J.

The Proper Use of Redaction, Aggregation, and Anonymization Over Full
Withholding
As mentioned above, circumstances exist where withholding of certain information is

necessary. In those situations, agencies should consider adopting methods of redaction,

421

See supra notes 380–381 and accompanying text.
See supra notes 382–386 and accompanying text.
423
See supra Table 13.
422

116

aggregation, and anonymization that allow the public to review some of the information
submitted instead of fully withholding a document or comment from the administrative docket or
other types of public disclosure.
For example, when PII submitted is submitted in comments, generally only that PII
(addresses, birth dates, Social Security numbers, etc.) need be redacted—all other information
can be disclosed with those particulars blacked out. CBI can similarly be protected via redaction,
especially if agencies require those submitting CBI to submit their own redacted copy. Redaction
is the simplest solution for documents and comments where there are scattered instances of CBI
or PPI. And the government’s broad disclosure policy is supported by limited redaction, as
oppose to withholding. Redaction allows other commentors and those following the rulemaking
process to fully understand the arguments being put forth without risking any personal
information.
Anonymization can also be used as a tool to protect a submitter’s identity, especially
when it involves personal stories of medical history or employment. The best way to allow
commenters to take advantage of anonymization as a tool is to enable submitters to comment
anonymously. That way, an agency does not have the name of the individual at any time and
cannot disclose it in any circumstances. When using anonymization, however, agencies should
keep in mind that FOIA’s definition of an unwarranted invasion of privacy includes even those
situations where names are redacted, but a person with additional knowledge could nonetheless
identify the individual.424
When an agency is confronted with a large amount of confidential information from a
number of businesses, agencies should use both aggregation and anonymization to disclose that

424

See supra notes 180–84 and accompanying text.

117

data. For example, agencies can disclose CBI that includes sensitive numerical data tied to a
sufficiently large number of businesses if all identifying information is removed. However,
agencies must make sure that any individual businesses are not readily identifiable from the
information they disclose. If there is one key statistic that could identify a business, aggregation
would not offer sufficient protection.

IV.

CONCLUSION
Many agencies are now in the midst of a significant increase of public comments as

online commenting portals allow for increased participation across the country. By adopting
some or all of the methods mentioned above, agencies can strike the proper balance between
honoring their statutory obligations towards openness while still taking care to protect personal
and business information privacy. In particular, a focus on providing multiple levels of notice to
submitters will allow commenters to make informed decision about the information they want to
disclose, while relieving some of the pressure of the agencies to proactively screen thousands of
comments.

118

APPENDICES
Appendix A: Text of the Survey Sent to Agencies
2019 Survey on Protected Materials in Public Rulemaking Dockets
Welcome to the 2019 Survey on Protected Materials in Public Rulemaking Dockets. This survey
is part of a project for the Administrative Conference of the United States (ACUS) that is
exploring how agencies can achieve the proper level of disclosure while protecting sensitive
materials in their public rulemaking dockets. For more information about the project, please visit
the ACUS website here: https://www.acus.gov/research-projects/protected-materials-publicrulemaking-dockets.
Purpose of the Survey: This survey aims to learn about agency practices involving the
protection of confidential business information, such as trade secrets and financial regulatory
information, and personally identifiable information, including medical information, in public
rulemaking dockets. It will help inform generalized recommendations about how agencies can
best balance transparency and the protection of sensitive materials within their public rulemaking
dockets.
Study Procedures: This survey should take 15 to 30 minutes to complete. The ideal respondent
is an agency official with firsthand knowledge of the agency’s procedures and practices on
screening comments and identifying confidential business information, such as trade secrets and
financial regulatory information, and personally identifiable information, including medical
information, within such comments or within any other part of the rulemaking docket. All
answers are voluntary. We would be very grateful if you could complete the survey by January
10, 2020.
Confidentiality of Responses: This project report for ACUS will identify the names of the
agencies participating in the survey and use survey responses to provide aggregated information
about agency practices. For example, the report will summarize recommended best practices, but
will not attribute specific responses to particular agencies without explicit permission.
Who to Contact with Questions:
Christopher Yoo
John H. Chestnut Professor of Law, Communication, and Computer & Information Science
Founding Director, Center for Technology, Innovation and Competition
University of Pennsylvania
(215) 746-8772
csyoo@law.upenn.edu
Todd Rubin
Attorney Advisor
Administrative Conference of the United States
(202) 480-2097
trubin@acus.gov
119

Identifying Information
What is the name of your agency?
What is your position at the agency (including the office in which you work)?
Protected Materials
Which of the following types of confidential business information (CBI) does your agency
encounter during its rulemaking proceedings, either in public comments or otherwise? (Check all
that apply.)
Trade Secrets
Financial Regulatory Information (e.g. Form 8-K, Form 10-K)
Other kinds of CBI (please specify)
Of the types of CBI that your agency receives through public comments, how often is the
information submitted about a third party, rather than about the submitter?

Which of the following types of personally identifiable information (PII) does your agency
encounter during its rulemaking proceedings, either in public comments or otherwise? (Check all
that apply.)
Social Security numbers
Medical information
Other kinds of PII (please specify)
Of the types of PII that your agency receives through public comments, how often is the
information submitted about a third party, rather than about the submitter?

Does your agency provide advance guidance to the public regarding its policies on the
submission of CBI and PII in the following types of proceedings? If so, how is that guidance
provided? (Check all that apply.)
Public comments in response to an Advance Notice of Proposed Rulemaking or Notice of
Proposed Rulemaking
Statements made at public meetings
Information submitted during a negotiated rulemaking
Survey responses
Ex parte communications
Other (please specify)
120

Does your agency screen information received during its rulemaking proceeding for CBI and
PII?
Yes
No
If so, who screens for CBI and PII? (Check all that apply.)*
Agency employees
Independent contractor
Artificial Intelligence
Other (please specify)
What guidelines are given to the screeners to identify CBI and PII?
On a scale of 0-10, how often does your agency exclude from its public rulemaking docket CBI
or PII submitted by the public?

Does your agency have a review process for challenging decisions regarding the disclosure or
withholding of CBI or PII from its public rulemaking docket? If so, please provide details of that
process. (Check all that apply.)
Process for challenging decisions regarding disclosure
Process for challenging decisions regarding withholding
On a scale of 0-10, how often are challenges regarding disclosure brought?

On a scale of 0-10, how often are challenges regarding withholding brought?

What techniques, if any, does your agency use to facilitate meaningful public comment regarding
CBI and PII that has been withheld? (Please check all that apply.)
Aggregation
Redaction

*

The version of this question that appeared on the survey was misstated. The research team contacted all survey
respondents by email requesting a response to the corrected question. The answers to the corrected questions are
reflected in this report.

121

Anonymization
Other (please specify)
If there is anything further you would like us to know or consider, please let us know here.
Closing Questions
Please provide your name and contact information for survey validity.
Would you be willing to speak with us in more detail, either on or off the record?
Yes
No
Are you willing to have your responses tied to your agency in the report? The report will include
which agencies participated in this survey, but specific responses will not be connected to any
agency without permission.
Yes
No

122

Appendix B: Comparison of NPRM Language on the Disclosure and Withholding of
Protected Materials in Rulemaking Dockets

Notice of
Public
Disclosure

Explicit
Guidance Not
to Disclose
PII*

Explicit
Guidance Not
to Disclose CBI

Process for
Confidential
Submission

Commodity Futures
Trading Commission

Yes

No

No

No

84 Fed. Reg. 21,044
(May 13, 2019).

Centers for Medicare
and Medicaid Services

Yes

No

No

No

85 Fed. Reg. 7.501
(Feb. 10, 2020).

Consumer Financial
Protection Bureau

Yes

Yes

No

No

84 Fed. Reg. 67.132
(Dec. 6, 2019).

Federal Communications
Commission

No

No

No

No

85 Fed. Reg. 6,841
(Feb. 6, 2020).

Federal Election
Commission

Yes

Yes

Yes

No

83 Fed. Reg. 12,864
(Mar. 26, 2018).

Federal Energy
Regulatory Commission

Yes

No

No

No

85 Fed. Reg. 6,831
(Feb. 6, 2020).

Federal Housing Finance
Agency

Yes

No

No

No

84 Fed. Reg. 68,350
(Dec. 16, 2019).

Federal Mine Safety and
Health Review
Commission

No

No

No

No

75 Fed. Reg. 28,223
(May 20, 2010).

Federal Trade
Commission

Yes

Yes

Yes

Yes

84 Fed. Reg. 58,348
(Oct. 31, 2019).

Internal Revenue Service

Yes

No

No

No

85 Fed. Reg. 2,061
(Jan. 14, 2020).

National Archives and
Records Administration

No

No

No

No

83 Fed. Reg. 45,587
(Sept. 10, 2018)

National Labor Relations
Board

Yes

Yes

No

No

84 Fed. Reg. 4,9691
(Sept. 23, 2019).

Occupational Safety and
Health Administration

Yes

Yes

No

No

84 Fed. Reg. 53,902
(Oct. 8, 2019).

Agency

*

Citation

While many agencies mention that public information will be posted, this category is limited to agencies that
explicitly discourage users from including personally identifiable information in the body of their comments.

123

Notice of
Public
Disclosure

Explicit
Guidance Not
to Disclose
PII*

Explicit
Guidance Not
to Disclose CBI

Process for
Confidential
Submission

Occupational Safety and
Health Review
Commission

No

No

No

No

83 Fed. Reg. 48,578
(Sept. 26, 2018).

Office of Management
and Budget

Yes

Yes

Yes

No

83 Fed. Reg. 42,610
(Aug. 23, 2018).

Office of the
Comptroller of the
Currency

Yes

Yes

Yes

No

85 Fed. Reg. 1,052
(Jan. 8, 2020).

Postal Regulatory
Commission

No

No

No

No

84 Fed. Reg. 53,840
(Oct. 8, 2019).

Surface Transportation
Board

Yes

No

No

No

84 Fed. Reg. 65,768
(Nov. 29, 2019).

U.S. Department of
Agriculture

Yes

Yes

Yes

Yes

85 Fed. Reg. 2.897
(Jan. 17, 2020).

U.S. Department of
Commerce (NIST)

Yes

Yes

Yes

No

85 Fed. Reg. 7,258
(Feb. 7, 2020).

U.S. Department of
Defense

Yes

No

No

No

83 Fed. Reg. 46,542
(Sept. 13, 2018).

U.S. Department of
Education

Yes

No

No

No

84 Fed. Reg. 67,778
(Dec. 11, 2019).

U.S. Department of
Energy

Yes

Yes

Yes

Yes

84 Fed. Reg. 62,481
(Nov. 15, 2019).

U.S. Department of
Homeland Security

Yes

No

No

No

84 Fed. Reg. 30,634
(June 27, 2019).

U.S. Department of
Justice

Yes

Yes

Yes

Yes

85 Fed. Reg. 5,356
(Jan. 30, 2020).

U.S. Department of
Labor

Yes

No

No

No

84 Fed. Reg. 53,956
(Oct. 8, 2019).

U.S. Department of State

Yes

Yes

No

Yes

83 Fed. Reg. 24,198
(May 24, 2018).

U.S. Department of the
Treasury

Yes

No

No

No

82 Fed. Reg. 67
(Jan. 3, 2017).

U.S. Department of
Transportation

Yes

No

No

No

84 Fed. Reg. 52,706
(Oct. 2, 2019).

Agency

124

Citation

Notice of
Public
Disclosure

Explicit
Guidance Not
to Disclose
PII*

Explicit
Guidance Not
to Disclose CBI

Process for
Confidential
Submission

U.S. Department of
Veterans Affairs

Yes

No

No

No

84 Fed. Reg. 13,576
(Apr. 5, 2019).

U.S. Environmental
Protection Agency

Yes

No

Yes

Yes

85 Fed. Reg. 7,480
(Feb 10, 2020).

U.S. Equal Employment
Opportunity
Commission

Yes

Yes

No

No

84 Fed. Reg. 5,624
(Feb. 22, 2019).

U.S. Food and Drug
Administration

Yes

Yes

Yes

Yes

84 Fed. Reg. 12,740
(Apr. 2, 2019).

U.S. General Services
Administration

Yes

No

No

No

83 Fed. Reg. 55,838
(Nov. 8, 2018).

U.S. International Trade
Commission

Yes

No

No

No

82 Fed. Reg. 44,982
(Sept. 27, 2017).

U.S. Merit Systems
Protection Board

Yes

Yes

Yes

Yes

79 Fed. Reg. 18,658
(Apr. 3, 2014).

U.S. Nuclear Regulatory
Commission

Yes

Yes

No

No

85 Fed. Reg. 1,129
(Jan. 9, 2020).

U.S. Office of
Government Ethics

Yes

Yes

No

No

85 Fed. Reg. 7,252
(Feb. 7, 2020).

U.S. Office of Personnel
Management

Yes

No

No

No

48 Fed. Reg. 72,250
(Dec. 31, 2019).

U.S. Securities and
Exchange Commission

Yes

Yes

No

No

84 Fed. Reg. 44,358
(Aug. 23, 2019).

U.S. Small Business
Association

Yes

No

No

Yes

84 Fed. Reg. 29,399
(June 24, 2019).

U.S. Social Security
Administration

Yes

Yes

No

No

84 Fed. Reg. 65,040
(Nov. 26, 2019).

Agency

125

Citation

Appendix C: Comparison of Language on the Disclosure and Withholding of Protected
Materials in SORNs Regarding Rulemaking Dockets
Mentions
Public
Disclosure of
Comments

Mentions
Possible
Redaction

Agency

System Name

Commodity Futures Trading
Commission

CFTC-45

Yes

Yes

84 Fed. Reg. 17,816
(Apr. 26, 2019).

Federal Communications
Commission

FCC/CGB–2; Comment
Filing System (ECFS)

Yes

No*

71 Fed. Reg. 17,234
(April. 5, 2006).

Federal Trade Commission

FTC-I-6

Yes

No

73 Fed. Reg. 33,592
(June 12, 2008).

Yes

No

71 Fed. Reg. 586
(Jan. 5, 2006).

Yes

Yes

72 Fed. Reg. 12,196
(Mar. 15, 2007).

Yes

No

84 Fed. Reg. 57,484
(Oct. 25, 2019).

Yes

Yes

85 Fed. Reg. 1,198
(Jan. 9, 2020).

Yes

No

73 Fed. Reg. 3,316
(Jan. 17, 2008).

Yes

No

82 Fed. Reg. 35,872
(Aug. 1, 2017).

Yes

Yes

70 Fed. Reg. 15,086
(Mar. 24, 2005).

U.S. Department of Defense

U.S. Department of Justice

U.S. Department of Labor

U.S. Department of the
Treasury
U.S. Department of
Transportation

U.S. Department of Veterans
Affairs

U.S. Environmental Protection
Agency

*

DoD Federal Docket
Management System
(DoDFDMS)
Justice Federal Docket
Management System
[Justice FDMS], DOJ–
013
Department of Labor
Federal Docket
Management System
(DOLFDMS), DOL/
CENTRAL–8.
Department of the
Treasury—.018
ERulemaking System of
Records
DOT/ALL 14: Federal
Docket Management
System
Department of Veterans
Affairs Federal Docket
Management System
Commenter Information
(VAFDMS)
Federal Docket
Management System
(FDMS)

Mentions policies for confidential submission, but no other affirmative redaction.

126

Citation

Appendix D: Model NPRM Language Disclosure and Withholding of Protected Materials
in Rulemaking Dockets
All comments received are considered part of the public record and made available for public
inspection online at [Regulations.gov]. Information made available for public inspection includes
personal identifying information (such as your name, address, etc.) or any other information
voluntarily submitted by the commenter. Once submitted, comments cannot be edited or
removed from [Regulations.gov]. [Agency] may publish any comment received to its public
docket.
Those submitting comments should not include any information, including Social Security
numbers, birthdates, financial information, contact information, medical information, or other
similar information that they do not want to be publicly viewable. You are solely responsible for
making sure that your comment does not include any sensitive personal information. Submission
of personally identifiable information into the rulemaking docket constitutes a waiver of any
claims of confidentiality. [OPTIONAL LANGUAGE FOR AGENCIES THAT WANT TO
ACCEPT PII: If you wish to submit personally identifiable information, see the section on
Personally Identifiable Information.]
Those submitting comments should not include any information for which disclosure is
restricted by statute, such as trade secrets and commercial or financial information (hereinafter
referred to as Confidential Business Information (“CBI”)). You are solely responsible for making
sure that your comment does not include any confidential business information. Submission of
confidential business information into the rulemaking docket without a request for protected
treatment constitutes a waiver of any claims of confidentiality. [OPTIONAL LANGUAGE
FOR AGENCIES THAT WANT TO ACCEPT CBI: For information on requesting protected
treatment of CBI, see the section on Confidential Business Information.]
The agency reserves the right to redact any submissions in part or in full when making comments
available to the public. If you have questions about any decisions to disclose or withhold any
information or if you have questions about your publicly viewable comment, please contact
[docket staff/agency counsel/other contact person.]
Potential Additional Language for Agencies That Want to Receive PII
Personally Identifiable Information
If you wish to submit personal identifying information (such as your name, address, etc.) as part
of your comment, but do not wish it to be posted online, you must include the phrase
“PERSONAL IDENTIFYING INFORMATION” in the first paragraph of your comment. You
must also locate all the personal identifying information that you do not want posted online in the
first paragraph of your comment and identify what information you want the agency to redact.
Your comment will be kept confidential only if agency staff grants your request in accordance
with the law and the public interest. Personal identifying information identified and located as set
forth above and approved by agency staff will be placed in the agency’s public docket file, but
not posted online.
127

Potential Additional Language for Agencies That Want to Receive CBI
Option 1
Confidential Business Information
If you wish to submit confidential business information as part of your comment but do not wish
it to be posted online, you must include the phrase “CONFIDENTIAL BUSINESS
INFORMATION” in the first paragraph of your comment. You must also prominently identify
the confidential business information to be redacted within the comment. Your comment will be
kept confidential only if agency staff grants your request in accordance with the law and the
public interest. The agency has the discretion to post that comment as redacted, make revisions
to the request for redaction, not to post comments that contain so much confidential business
information that they cannot be redacted effectively, or to reject claims of confidentiality.
Confidential business information identified and located as set forth above and approved by
agency staff will not be placed in the public docket file, nor will it be posted online.
Option 2
Confidential Business Information
If you wish to submit confidential business information as part of your comment but do not wish
it to be posted online, you must submit your comments [“only as a written or paper submission”
or “through [Regulations.gov]”]. You should submit two copies total. One copy will include the
information you claim to be confidential with a heading or cover note that states “THIS
DOCUMENT CONTAINS CONFIDENTIAL INFORMATION.” The Agency will review this
copy, including the claimed confidential information, in its consideration of comments. The
second copy, which will have the claimed confidential information redacted or blacked out, will
be available for public viewing online. Submit both copies to the Dockets Management Staff. If
you do not wish your name and contact information to be made publicly available, you can
provide this information on the cover sheet and not in the body of your comments and you must
identify this information as “confidential.” Your comment will be kept confidential only if
agency staff grants your request in accordance with the law and the public interest. The agency
has the discretion to post that comment as redacted, to make revisions to the request for
redaction, not to post comments that contain so much confidential business information that they
cannot be redacted effectively, or to reject claims of confidentiality. Confidential business
information identified and located as set forth above and approved by agency staff will not be
placed in the public docket file, nor will it be posted online.

128

Appendix E: Model Website Language on the Disclosure and Withholding of Protected
Materials in Rulemaking Dockets
The model language is based on the primary disclosure appearing at the bottom of the
comment submission page on Regulations.gov. Additional text is marked in bold.
Any information (e.g., personal or contact) you provide on this comment form or
in an attachment may be publicly disclosed and searchable on the Internet and in a
paper docket and will be provided to the Department or Agency issuing the
notice. Do not submit information whose disclosure is restricted by statute,
such as trade secrets or commercial and financial information, via [the online
commenting platform]. Do not submit sensitive personal information, such as
social security numbers or banking information, or confidential business
information, such as trade secrets, via [the online commenting platform]. To
view any additional information for submitting comments, such as anonymous or
sensitive submissions, refer to the [link to detailed information about submitting
paper or email comments], the Federal Register notice on which you are
commenting, and the Web site of the Department or Agency.

129

