| (a) Simplified nondisclosure notice requirements. A covered
entity that does not disclose, and does not reserve the right to disclose,
nonpublic personal financial information about customers or former customers
to nonaffiliated third parties except as authorized under §22.18 of this
title (relating to Exceptions to Notice and Opt Out Requirements for Disclosure
of Nonpublic Personal Financial Information for Processing and Servicing Transactions)
and §22.19 of this title (relating to Other Exceptions to Notice and
Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information),
may comply with this subchapter by providing a simplified notice which expresses:
(1) the nondisclosure policy stated in this subsection, and
(2) the information required by subsections (b)(1), (b)(8),
(b)(9), and (c) of this section.
(b) Disclosure notice requirements. The initial, annual and
revised privacy notices that a covered entity provides under §22.8 of
this title (relating to Initial Privacy Notice), §22.9 of this title
(relating to Annual Privacy Notice) and §22.12 of this title (relating
to Revised Privacy Notices) shall include the following items of information,
in addition to any other information the covered entity wishes to provide,
that applies to the covered entity and to the consumers to whom the covered
entity sends its privacy notice.
(1) The categories of nonpublic personal financial information
that the covered entity collects. A covered entity satisfies the requirement
to categorize the nonpublic personal financial information it collects when
the covered entity categorizes it according to the source of the information,
as applicable, including:
(A) information from the consumer;
(B) information about the consumer's transactions with the
covered entity or its affiliates;
(C) information about the consumer's transactions with nonaffiliated
third parties; and
(D) information from a consumer reporting agency.
(2) The categories of nonpublic personal financial information
that the covered entity discloses.
(A) A covered entity satisfies the requirement to categorize
nonpublic personal financial information it discloses when the covered entity
categorizes the information according to source, as described in paragraph
(1) of this subsection, as applicable, and provides examples to illustrate
the types of information in each category, such as:
(i) information from the consumer, including application information
(such as assets and income) and identifying information (such as name, address
and social security number);
(ii) transaction information (such as information about balances,
payment history and parties to the transaction); and
(iii) information from consumer reports (such as a consumer's
creditworthiness and credit history).
(B) A covered entity does not adequately categorize the information
that it discloses when the covered entity uses only general terms (such as
transaction information about the consumer).
(C) A covered entity that reserves the right to disclose all
of the nonpublic personal financial information about consumers that it collects
may state that fact without describing the categories or examples of nonpublic
personal financial information that the covered entity discloses.
(3) The categories of affiliates and nonaffiliated third parties
to whom the covered entity discloses nonpublic personal financial information,
other than those parties to whom the covered entity discloses information
under §§22.18 and 22.19 of this title.
(4) The categories of nonpublic personal financial information
about the covered entity's former customers that the covered entity discloses
and the categories of affiliates and nonaffiliated third parties to whom the
covered entity discloses nonpublic personal financial information about the
covered entity's former customers, other than those parties to whom the covered
entity discloses information under §§22.18 and 22.19 of this title.
(5) A separate description of the categories of information
the covered entity discloses and the categories of third parties with whom
the covered entity has contracted, if the covered entity discloses nonpublic
personal financial information to a nonaffiliated third party under §22.17
of this title (relating to Exception to Opt Out Requirements for Disclosure
of Nonpublic Personal Financial Information for Service Providers and Joint
Marketing) and no other exception in §§22.18 and 22.19 of this title
applies to that disclosure.
(6) An explanation of the consumer's right under §22.14(a)
of this title (relating to Limits on Disclosure of Nonpublic Personal Financial
Information to Nonaffiliated Third Parties) to opt out of the disclosure of
nonpublic personal financial information to nonaffiliated third parties, including
the methods by which the consumer may exercise that right at that time.
(7) Any disclosures that the covered entity makes under Section
603(d)(2)(A)(iii) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii))
(that is, notices regarding the ability to opt out of disclosures of information
among affiliates).
(8) The covered entity's policies and practices with respect
to protecting the confidentiality and security of nonpublic personal financial
information. A covered entity provides an adequate description of its policies
and practices with respect to protecting the confidentiality and security
of nonpublic personal financial information if it does both of the following:
(A) describes in general terms who is authorized to have access
to the information; and
(B) states whether the covered entity has security practices
and procedures in place to ensure the confidentiality of the information in
accordance with the covered entity's policy. The covered entity is not required
to describe technical information about the safeguards it uses.
(9) Any disclosure that the covered entity makes under subsection
(c) of this section.
(c) Description of parties subject to exceptions. A covered
entity that discloses nonpublic personal financial information as authorized
under §§22.18 and 22.19 of this title is not required to list those
exceptions in the initial or annual privacy notices required by §§22.8
and 22.9 of this title. When describing the categories of parties to whom
disclosure is made, the covered entity shall state that it makes disclosures
to other affiliated or nonaffiliated third parties, as applicable, as permitted
by law.
(d) Appropriate methods of categorizing affiliates and nonaffiliated
third parties.
(1) A covered entity satisfies the requirement to categorize
the affiliates and nonaffiliated third parties to which the covered entity
discloses nonpublic personal financial information about consumers if the
covered entity identifies the types of businesses in which they engage.
(2) Types of businesses may be described by general terms only
if the covered entity uses illustrative examples of significant lines of business.
For example, a covered entity may use the term "financial products or services"
if the notice includes appropriate examples of significant lines of such businesses
or services, such as life insurer, automobile insurer, consumer banking or
securities brokerage.
(3) A covered entity also may categorize the affiliates and
nonaffiliated third parties to which it discloses nonpublic personal financial
information about consumers using more detailed categories.
(e) Disclosures under exception for service providers and joint
marketers. A covered entity that discloses nonpublic personal financial information
under the exception in §22.17 of this title to a nonaffiliated third
party to market products or services that it offers alone or jointly with
another financial institution satisfies the disclosure requirement of subsection
(b)(5) of this section if it:
(1) lists the categories of nonpublic personal financial information
it discloses, using the same categories and examples the covered entity used
to meet the requirements of subsection (a)(2) of this section, as applicable;
and
(2) states whether the third party is:
(A) a service provider that performs marketing services on
the covered entity's behalf or on behalf of the covered entity and another
financial institution; or
(B) a financial institution with whom the covered entity has
a joint marketing agreement.
(f) Short-form initial notice with opt out notice for non-customers.
(1) A covered entity may satisfy the initial notice requirements
in §22.8(a)(2) and §22.11(c) of this title (relating to Form of
Opt Out Notice to Consumers and Opt Out Methods) for a consumer who is not
a customer by providing a short-form initial notice at the same time as the
covered entity delivers an opt out notice as required in §22.11 of this
title.
(2) A short-form initial notice shall:
(A) be clear and conspicuous;
(B) state that the covered entity's privacy notice is available
upon request; and
(C) explain a reasonable means by which the consumer may obtain
that notice.
(3) The covered entity shall deliver its short-form initial
notice according to §22.13 of this title (relating to Delivery). The
covered entity is not required to deliver its privacy notice with its short-form
initial notice. The covered entity instead may simply provide the consumer
a reasonable means to obtain its privacy notice. If a consumer who receives
the covered entity's short-form notice requests the covered entity's privacy
notice, the covered entity shall deliver its privacy notice according to §22.13
of this title.
(4) The covered entity provides a reasonable means by which
a consumer may obtain a copy of its privacy notice if the covered entity:
(A) provides a toll-free telephone number that the consumer
may call to request the notice; or
(B) for a consumer who conducts business in person at the covered
entity's office, maintains copies of the notice on hand that the covered entity
provides to the consumer immediately upon request.
(g) Reservation of right to disclose. The covered entity's
notice may include:
(1) categories of nonpublic personal financial information
that the covered entity reserves the right to disclose in the future, but
does not currently disclose; and
(2) categories of affiliates or nonaffiliated third parties
to whom the covered entity reserves the right in the future to disclose, but
to whom the covered entity does not currently disclose, nonpublic personal
financial information.
(h) Forms. A covered entity may use the forms provided in §22.26
of this title (relating to Forms), as applicable, to meet the requirements
of this section as follows:
(1) Form Number FNPRV INFO/COL provided at Figure 1 of §22.26(b)(1)
of this title is intended to meet the requirement of subsection (b)(1) of
this section to describe the categories of nonpublic personal financial information
the covered entity collects.
(2) Form Number FNPRV INFO/DSC provided at Figure 2 of §22.26(b)(1)
of this title is intended to meet the requirement of subsection (b)(2) of
this section to describe the categories of nonpublic personal financial information
the covered entity discloses. The covered entity may use these clauses if
it discloses nonpublic personal financial information other than as permitted
by the exceptions in §§22.17, 22.18, and 22.19 of this title.
(3) Form Number FNPRV INFO/NODSC provided at Figure 3 of §22.26(b)(3)
of this subchapter is intended to meet the requirements of subsections (b)(2),
(3), and (4) of this section to describe the categories of nonpublic personal
financial information about customers and former customers that the covered
entity discloses and the categories of affiliates and nonaffiliated third
parties to whom the covered entity discloses this information. A covered entity
may use this clause if the covered entity does not disclose nonpublic personal
financial information to any party, other than as permitted by the exceptions
in §§22.18 and 22.19 of this title.
(4) Form Number FNPRV INFO/TPDSC provided at Figure 4 of §22.26(b)(4)
of this title is intended to meet the requirements of subsection (b)(3) of
this section to describe the categories of affiliates and nonaffiliated third
parties to whom the covered entity discloses nonpublic personal financial
information. A covered entity may use this clause if the covered entity discloses
nonpublic personal financial information other than as permitted by the exceptions
in §§22.17, 22.18, and 22.19 of this title.
(5) Form Number FNPRV INFO/SPJMDSC provided at Figure 5 of §22.26(b)(5)
of this title is intended to meet the requirements of subsection (b)(5) of
this section related to the exception for service providers and joint marketers
in §22.17 of this title. If a covered entity discloses nonpublic personal
financial information under this exception, the covered entity shall describe
the categories of nonpublic personal financial information the covered entity
discloses and the categories of third parties with which the covered entity
has contracted.
(6) Form Number FNPRV INFO/OPT provided at Figure 6 of §22.26(b)(6)
of this title is intended to meet the requirements of subsection (b)(6) of
this section to provide an explanation of the consumer's right to opt out
of the disclosure of nonpublic personal financial information to nonaffiliated
third parties, including the method(s) by which the consumer may exercise
that right. A covered entity may use this clause if the covered entity discloses
nonpublic personal financial information other than as permitted by the exceptions
in §§22.17, 22.18, and 22.19 of this title.
(7) Form Number FNPRV INFO/SEC provided at Figure 7 of §22.26(b)(7)
of this subchapter is intended to meet the requirements of subsection (b)(8)
of this section to describe the covered entity's policies and practices with
respect to protecting the confidentiality and security of nonpublic personal
financial information.
|
