| (a) Simplified nondisclosure notice requirements. A
covered entity that does not disclose, and does not reserve the right
to disclose, nonpublic personal financial information about customers
or former customers to nonaffiliated third parties except as authorized
under §22.18 of this title (relating to Exceptions to Notice
and Opt Out Requirements for Disclosure of Nonpublic Personal Financial
Information for Processing and Servicing Transactions) and §22.19
of this title (relating to Other Exceptions to Notice and Opt Out
Requirements for Disclosure of Nonpublic Personal Financial Information),
may comply with this subchapter by providing a simplified notice that
expresses:
(1) the nondisclosure policy stated in this subsection,
and
(2) the information required by subsections (b)(1),
(b)(8), (b)(9), and (c) of this section.
(b) Disclosure notice requirements. The initial, annual,
and revised privacy notices a covered entity provides under §22.8
of this title (relating to Initial Privacy Notice), §22.9 of
this title (relating to Annual Privacy Notice), and §22.12 of
this title (relating to Revised Privacy Notices) must include the
following items of information, in addition to any other information
the covered entity wishes to provide, that applies to the covered
entity and to the consumers to whom the covered entity sends its privacy
notice.
(1) The categories of nonpublic personal financial
information the covered entity collects. A covered entity satisfies
the requirement to categorize the nonpublic personal financial information
it collects when the covered entity categorizes it according to the
source of the information, as applicable, including:
(A) information from the consumer;
(B) information about the consumer's transactions with
the covered entity or its affiliates;
(C) information about the consumer's transactions with
nonaffiliated third parties; and
(D) information from a consumer reporting agency.
(2) The categories of nonpublic personal financial
information the covered entity discloses.
(A) A covered entity satisfies the requirement to categorize
nonpublic personal financial information it discloses when the covered
entity categorizes the information according to source, as described
in paragraph (1) of this subsection, as applicable, and provides examples
to illustrate the types of information in each category, such as:
(i) information from the consumer, including application
information (such as assets and income) and identifying information
(such as name, address, and social security number);
(ii) transaction information (such as information about
balances, payment history, and parties to the transaction); and
(iii) information from consumer reports (such as a
consumer's creditworthiness and credit history).
(B) A covered entity does not adequately categorize
the information it discloses when the covered entity uses only general
terms (such as transaction information about the consumer).
(C) A covered entity that reserves the right to disclose
all the nonpublic personal financial information about consumers it
collects may state that fact without describing the categories or
examples of nonpublic personal financial information the covered entity
discloses.
(3) The categories of affiliates and nonaffiliated
third parties to whom the covered entity discloses nonpublic personal
financial information, other than those parties to whom the covered
entity discloses information under §22.18 and §22.19 of
this title.
(4) The categories of nonpublic personal financial
information about the covered entity's former customers that the covered
entity discloses and the categories of affiliates and nonaffiliated
third parties to whom the covered entity discloses nonpublic personal
financial information about the covered entity's former customers,
other than those parties to whom the covered entity discloses information
under §22.18 and §22.19 of this title.
(5) A separate description of the categories of information
the covered entity discloses and the categories of third parties with
whom the covered entity has contracted, if the covered entity discloses
nonpublic personal financial information to a nonaffiliated third
party under §22.17 of this title (relating to Exception to Opt
Out Requirements for Disclosure of Nonpublic Personal Financial Information
for Service Providers and Joint Marketing) and no other exception
in §22.18 and §22.19 of this title applies to that disclosure.
(6) An explanation of the consumer's right under §22.14(a)
of this title (relating to Limits on Disclosure of Nonpublic Personal
Financial Information to Nonaffiliated Third Parties) to opt out of
the disclosure of nonpublic personal financial information to nonaffiliated
third parties, including the methods by which the consumer may exercise
that right at that time.
(7) Any disclosures the covered entity makes under §603(d)(2)(A)(iii)
of the federal FCRA (15 U.S.C. §1681a(d)(2)(A)(iii)) (that is,
notices regarding the ability to opt out of disclosures of information
among affiliates).
(8) The covered entity's policies and practices with
respect to protecting the confidentiality and security of nonpublic
personal financial information. A covered entity provides an adequate
description of its policies and practices with respect to protecting
the confidentiality and security of nonpublic personal financial information
if it does both of the following:
(A) describes in general terms who is authorized to
have access to the information; and
(B) states whether the covered entity has security
practices and procedures in place to ensure the confidentiality of
the information under the covered entity's policy. The covered entity
is not required to describe technical information about the safeguards
it uses.
(9) Any disclosure the covered entity makes under subsection
(c) of this section.
(c) Description of nonaffiliated third parties subject
to exceptions. A covered entity that discloses nonpublic personal
financial information to third parties as authorized under §22.18
and §22.19 of this title is not required to list those exceptions
in the initial or annual privacy notices required by §22.8 and §22.9
of this title. When describing the categories of parties to whom the
covered entity makes disclosures, it is sufficient for the covered
entity to state that it makes disclosures to other nonaffiliated companies:
(1) for the covered entity's everyday business purposes,
such as (include all that apply) to process account transactions,
maintain accounts, respond to court orders and legal investigations,
or report to credit bureaus; or
(2) as permitted by law.
(d) Appropriate methods of categorizing affiliates
and nonaffiliated third parties.
(1) A covered entity satisfies the requirement to categorize
the affiliates and nonaffiliated third parties to which the covered
entity discloses nonpublic personal financial information about consumers
if the covered entity identifies the types of businesses in which
they engage.
(2) Types of businesses may be described by general
terms only if the covered entity uses illustrative examples of significant
lines of business. For example, a covered entity may use the term
"financial products or services" if the notice includes appropriate
examples of significant lines of businesses or services, such as life
insurer, automobile insurer, consumer banking, or securities brokerage.
(3) A covered entity also may categorize the affiliates
and nonaffiliated third parties to which it discloses nonpublic personal
financial information about consumers using more detailed categories.
(e) Disclosures under exception for service providers
and joint marketers. A covered entity that discloses nonpublic personal
financial information under the exception in §22.17 of this title
to a nonaffiliated third party to market products or services it offers
alone or jointly with another financial institution satisfies the
disclosure requirement of subsection (b)(5) of this section if it:
(1) lists the categories of nonpublic personal financial
information it discloses, using the same categories and examples the
covered entity used to meet the requirements of subsection (a)(2)
of this section, as applicable; and
(2) states whether the third party is:
(A) a service provider that performs marketing services
on the covered entity's behalf or on behalf of the covered entity
and another financial institution; or
Cont'd... |
