(a) Except as otherwise authorized in this subchapter, a covered
entity shall not, directly or through an affiliate, disclose any nonpublic
personal financial information about a consumer to a nonaffiliated third party
other than as described in the initial notice that the covered entity provided
to that consumer under §22.8 of this title (relating to Initial Privacy
Notice), unless:
(1) the covered entity has provided to the consumer a clear
and conspicuous revised notice that accurately describes its policies and
practices;
(2) the covered entity has provided to the consumer a new opt
out notice;
(3) the covered entity has given the consumer a reasonable
opportunity, before the covered entity discloses the information to the nonaffiliated
third party, to opt out of the disclosure; and
(4) the consumer does not opt out.
(b) Except as otherwise permitted by §22.17 of this title
(relating to Exception to Opt Out Requirements for Disclosure of Nonpublic
Personal Financial Information for Service Providers and Joint Marketing), §22.18
of this title (relating to Exceptions to Notice and Opt Out Requirements for
Disclosure of Nonpublic Personal Financial Information for Processing and
Servicing Transactions) and §22.19 of this title (relating to Other Exceptions
to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial
Information), a covered entity shall provide a revised notice before it:
(1) discloses a new category of nonpublic personal financial
information to any nonaffiliated third party;
(2) discloses nonpublic personal financial information to a
new category of nonaffiliated third party; or
(3) discloses nonpublic personal financial information about
a former customer to a nonaffiliated third party, if that former customer
has not had the opportunity to exercise an opt out right regarding that disclosure.
(c) A revised notice is not required if the covered entity
discloses nonpublic personal financial information to a new nonaffiliated
third party that the covered entity adequately described in its prior notice.
(d) When a covered entity is required to deliver a revised
privacy notice by this section, the covered entity shall deliver it according
to §22.13 of this title (relating to Delivery).
|