|(a) A covered entity shall not, directly or through an affiliate,
disclose, other than to a consumer reporting agency, a policy number or similar
form of access number or access code for a consumer's policy or transaction
account to any nonaffiliated third party for use in telemarketing, direct
mail marketing or other marketing through electronic mail to the consumer.
(b) Subsection (a) of this section does not apply if a covered
entity discloses a policy number or similar form of access number or access
(1) to a service provider, including another covered entity,
solely for the purpose of marketing the sharing covered entity's own products
or services, so long as the receiving covered entity is not authorized to
initiate charges directly to the account; or
(2) to a participant in an affinity or similar program as set
forth in 12 CFR §40.12(b)(2), 12 CFR §216.12(b)(2), 12 CFR §332.12(b)(2),
12 CFR §573.12(b)(2), and 12 CFR §716.12(b)(2), where the participants
in the program are identified to the customer when the customer enters into
(c) A policy number, or similar form of access number or access
code, does not include a number or code in an encrypted form, so long as the
covered entity does not provide the recipient with a means to decode the number
(d) For the purposes of this section, a policy or transaction
account is an account other than a deposit account or a credit card account.
A policy or transaction account does not include an account to which third
parties cannot initiate charges.