(a) Clear and conspicuous notice. If a covered entity
is required to provide an opt out notice under §22.14(a) of this
title (relating to Limits on Disclosure of Nonpublic Personal Financial
Information to Nonaffiliated Third Parties), it must provide a clear
and conspicuous notice to each of its consumers that accurately explains
the right to opt out. The notice must state:
(1) that the covered entity discloses or reserves the
right to disclose nonpublic personal financial information about its
consumer to a nonaffiliated third party;
(2) that the consumer has the right to opt out of that
disclosure; and
(3) a reasonable means by which the consumer may opt
out.
(b) Adequate opt out notice. A covered entity provides
adequate notice that the consumer can opt out of the disclosure of
nonpublic personal financial information to a nonaffiliated third
party if the covered entity:
(1) identifies all of the categories of nonpublic personal
financial information it discloses or reserves the right to disclose,
and all of the categories of nonaffiliated third parties to which
the covered entity discloses the information, as described in §22.10(a)(2)
and (3) of this title (relating to Information to be Included in Privacy
Notices), and states that the consumer can opt out of the disclosure
of that information; and
(2) identifies the insurance products or services the
consumer obtains from the covered entity, either singly or jointly,
to which the opt out direction would apply.
(c) Reasonable opt out means. A covered entity provides
a reasonable means to exercise an opt out right if it:
(1) designates check-off boxes in a prominent position
on the relevant forms with the opt out notice; and
(2) includes the reply form together with the opt out
notice; or
(3) provides an electronic means to opt out, such as
a form that can be sent by electronic mail or a process on the covered
entity's website, if the consumer agrees to the electronic delivery
of information; or
(4) provides a toll-free telephone number consumers
may call to opt out.
(d) Unreasonable opt out means. A covered entity does
not provide a reasonable means of opting out if:
(1) the only means of opting out is for the consumer
to write his or her own letter to exercise that opt out right; or
(2) the only means of opting out as described in any
notice subsequent to the initial notice is to use a check-off box
that the covered entity provided with the initial notice but did not
include with the subsequent notice.
(e) Specific opt out means. A covered entity may require
each consumer to opt out through a specific means, so long as that
means is reasonable for that consumer.
(f) Opt out notice with or on a written or electronic
form. A covered entity may provide the opt out notice together with,
or on the same written or electronic form as, the initial notice the
covered entity provides in accord with §22.8 of this title (relating
to Initial Privacy Notice).
(g) Opt out notice later than initial notice. If a
covered entity provides the opt out notice later than required for
the initial notice in accord with §22.8 of this title, the covered
entity must also include a copy of the initial notice with the opt
out notice in writing or, if the consumer agrees, electronically.
(h) Joint relationships. A covered entity must use
the procedures set out in paragraphs (1) - (4) of this subsection
when joint relationships between consumers are involved.
(1) If two or more consumers jointly obtain or seek
to obtain an insurance product or service from a covered entity, the
covered entity may provide a single opt out notice. The covered entity's
opt out notice must explain how the covered entity will treat an opt
out direction by a joint consumer (as explained in subsection (i)
of this section).
(2) Any of the joint consumers may exercise the right
to opt out. The covered entity may either:
(A) treat an opt out direction by a joint consumer
as applying to all of the associated joint consumers; or
(B) permit each joint consumer to opt out separately.
(3) If a covered entity permits each joint consumer
to opt out separately, the covered entity must permit one of the joint
consumers to opt out on behalf of all the joint consumers.
(4) A covered entity may not require all joint consumers
to opt out before it implements any opt out direction.
(i) Examples. The following are examples of how a covered
entity should treat a joint relationship. If John and Mary are both
named policyholders on a homeowner's insurance policy issued by a
covered entity and the covered entity sends policy statements to John's
address, the covered entity may do any of the following, but it must
explain in its opt out notice which opt out policy the covered entity
will follow:
(1) Send a single opt out notice to John's address,
but the covered entity must accept an opt out direction from either
John or Mary.
(2) Treat an opt out direction by either John or Mary
as applying to the entire policy. If the covered entity does so and
John opts out, the covered entity may not require Mary to opt out
as well before implementing John's opt out direction.
(3) Permit John and Mary to make different opt out
directions. If the covered entity does so:
(A) it must permit John and Mary to opt out for each
other;
(B) if both opt out, the covered entity must permit
both of them to notify it in a single response (such as on a form
or through a telephone call); and
(C) if John opts out and Mary does not, the covered
entity may only disclose nonpublic personal financial information
about Mary, but not about John, and not about John and Mary jointly.
(j) Opt out direction. A covered entity must comply
with a consumer's opt out direction as soon as reasonably practicable
after the covered entity receives it.
(k) Consumer's right to opt out. A consumer may exercise
the right to opt out at any time.
(l) A consumer's direction. A consumer's direction
to opt out under this section is effective until the consumer revokes
it in writing or, if the consumer has agreed to conduct business electronically,
electronically.
(m) Customer relationship. When a customer relationship
terminates, the customer's opt out direction continues to apply to
the nonpublic personal financial information the covered entity collected
during or related to that relationship. If the individual subsequently
establishes a new customer relationship with the covered entity, the
opt out direction that applied to the former relationship does not
apply to the new relationship.
(n) Opt out delivery. When a covered entity is required
to deliver an opt out notice by this section, the covered entity must
deliver it according to §22.13 of this title (relating to Delivery).
(o) Notice content requirements. A model privacy form
that meets the notice content requirement of this section appears
in 74 Federal Register 62890 (December
1, 2009). A covered entity may use the applicable model privacy form,
consistent with the instructions in §22.27 of this title (relating
to General Instructions).
|