(a) Conditions for disclosure. Except as otherwise authorized
in this subchapter, a covered entity may not, directly or through any affiliate,
disclose any nonpublic personal financial information about a consumer to
a nonaffiliated third party unless:
(1) the covered entity has provided to the consumer an initial
notice as required under §22.8 of this title (relating to Initial Privacy
Notice);
(2) the covered entity has provided to the consumer an opt
out notice as required in §22.11 of this title (relating to Form of Opt
Out Notice to Consumers and Opt Out Methods);
(3) the covered entity has given the consumer a reasonable
opportunity, before it discloses the information to the nonaffiliated third
party, to opt out of the disclosure; and
(4) the consumer does not opt out.
(b) Examples of reasonable opportunity to opt out. A covered
entity provides a consumer with a reasonable opportunity to opt out if:
(1) the covered entity mails the notices required in subsection
(a) of this section to the consumer and allows the consumer to opt out by
mailing a form, calling a toll-free telephone number or any other reasonable
means within 30 days from the date the covered entity mailed the notices.
(2) a customer opens an on-line account with a covered entity
and agrees to receive the notices required in subsection (a) of this section
electronically, and the covered entity allows the customer to opt out by any
reasonable means within 30 days after the date that the customer acknowledges
receipt of the notices in conjunction with opening the account.
(3) for an isolated transaction such as providing the consumer
with an insurance quote, a covered entity provides the consumer with a reasonable
opportunity to opt out if the covered entity provides the notices required
in subsection (a) of this section at the time of the transaction and requests
that the consumer decide, as a necessary part of the transaction, whether
to opt out before completing the transaction.
(c) Application of opt out to all consumers and all nonpublic
personal financial information.
(1) A covered entity shall comply with this section, regardless
of whether the covered entity and the consumer have established a customer
relationship.
(2) Unless a covered entity complies with this section, the
covered entity may not, directly or through any affiliate, disclose any nonpublic
personal financial information about a consumer that the covered entity has
collected, regardless of whether the covered entity collected it before or
after receiving the direction to opt out from the consumer.
(d) Partial opt out. A covered entity may allow a consumer
to select certain nonpublic personal financial information or certain nonaffiliated
third parties with respect to which the consumer wishes to opt out.
|