(a) A covered entity must provide a clear and conspicuous
notice to customers that accurately reflects its privacy policies
and practices not less than annually during the continuation of the
customer relationship, except as provided in subsection (d) of this
section. "Annually" means at least once in any period of 12 consecutive
months during which that relationship exists. A covered entity may
define the 12-consecutive-month period, but the covered entity must
apply it to the customer on a consistent basis. A covered entity provides
a notice annually if it defines the 12-consecutive-month period as
a calendar year and provides the annual notice to the customer once
in each calendar year following the calendar year in which the covered
entity provided the initial notice. For example, if a customer opens
an account on any day of year 1, the covered entity must provide an
annual notice to that customer by December 31 of year 2.
(b) A covered entity is not required to provide an
annual notice to a former customer. A former customer is an individual
with whom a covered entity no longer has a continuing relationship.
A covered entity no longer has a continuing relationship with an individual:
(1) if the individual no longer is a current policyholder
of an insurance product or no longer obtains insurance services with
or through the covered entity;
(2) if the individual's policy is lapsed, expired,
or otherwise not in force, and the covered entity has not communicated
with the customer about the relationship for a period of 12 consecutive
months, other than to provide annual privacy notices, material required
by law or regulation, communication at the direction of a state or
federal authority, or promotional materials;
(3) for the purposes of this subchapter, if:
(A) the covered entity sends mail to the individual's
last known address, according to the covered entity's records, and
the postal authorities return that mail as undeliverable, and
(B) subsequent attempts by the covered entity to obtain
a current valid address for the individual are unsuccessful; or
(4) in the case of providing real estate settlement
services, at the later of the following events:
(A) the customer completes execution of all documents
related to the real estate closing;
(B) payment for those services has been received; or
(C) the covered entity has completed all of its responsibilities
with respect to the settlement, including filing documents in the
public record.
(c) A covered entity must deliver any annual privacy
notices required by this section according to §22.13 of this
title (relating to Delivery).
(d) A covered entity that is excepted from annual privacy
notice requirements under 15 U.S.C. §6803(f), or one that would
be excepted if it were a financial institution, is not required to
provide an annual privacy notice under this section. At any time the
covered entity fails to meet both criteria for the exception under
§6803(f), the covered entity is subject to the annual notice
requirement in this section.
|