Current through Reg. 50, No. 13; March 28, 2025
(a) Simplified nondisclosure notice
requirements. A covered entity that does not disclose, and does not reserve the
right to disclose, nonpublic personal financial information about customers or
former customers to nonaffiliated third parties except as authorized under
§
22.18 of this title (relating to
Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic
Personal Financial Information for Processing and Servicing Transactions) and
§
22.19 of this title (relating to
Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic
Personal Financial Information), may comply with this subchapter by providing a
simplified notice that expresses:
(1) the
nondisclosure policy stated in this subsection, and
(2) the information required by subsections
(b)(1), (b)(8), (b)(9), and (c) of this section.
(b) Disclosure notice requirements. The
initial, annual, and revised privacy notices a covered entity provides under
§
22.8 of this title (relating to
Initial Privacy Notice), §
22.9 of this title (relating to
Annual Privacy Notice), and §
22.12 of this title (relating to
Revised Privacy Notices) must include the following items of information, in
addition to any other information the covered entity wishes to provide, that
applies to the covered entity and to the consumers to whom the covered entity
sends its privacy notice.
(1) The categories
of nonpublic personal financial information the covered entity collects. A
covered entity satisfies the requirement to categorize the nonpublic personal
financial information it collects when the covered entity categorizes it
according to the source of the information, as applicable, including:
(A) information from the consumer;
(B) information about the consumer's
transactions with the covered entity or its affiliates;
(C) information about the consumer's
transactions with nonaffiliated third parties; and
(D) information from a consumer reporting
agency.
(2) The
categories of nonpublic personal financial information the covered entity
discloses.
(A) A covered entity satisfies the
requirement to categorize nonpublic personal financial information it discloses
when the covered entity categorizes the information according to source, as
described in paragraph (1) of this subsection, as applicable, and provides
examples to illustrate the types of information in each category, such as:
(i) information from the consumer, including
application information (such as assets and income) and identifying information
(such as name, address, and social security number);
(ii) transaction information (such as
information about balances, payment history, and parties to the transaction);
and
(iii) information from consumer
reports (such as a consumer's creditworthiness and credit history).
(B) A covered entity does not
adequately categorize the information it discloses when the covered entity uses
only general terms (such as transaction information about the
consumer).
(C) A covered entity
that reserves the right to disclose all the nonpublic personal financial
information about consumers it collects may state that fact without describing
the categories or examples of nonpublic personal financial information the
covered entity discloses.
(3) The categories of affiliates and
nonaffiliated third parties to whom the covered entity discloses nonpublic
personal financial information, other than those parties to whom the covered
entity discloses information under §
22.18 and §
22.19 of this title.
(4) The categories of nonpublic personal
financial information about the covered entity's former customers that the
covered entity discloses and the categories of affiliates and nonaffiliated
third parties to whom the covered entity discloses nonpublic personal financial
information about the covered entity's former customers, other than those
parties to whom the covered entity discloses information under §
22.18 and §
22.19 of this title.
(5) A separate description of the categories
of information the covered entity discloses and the categories of third parties
with whom the covered entity has contracted, if the covered entity discloses
nonpublic personal financial information to a nonaffiliated third party under
§
22.17 of this title (relating to
Exception to Opt Out Requirements for Disclosure of Nonpublic Personal
Financial Information for Service Providers and Joint Marketing) and no other
exception in §
22.18 and §
22.19 of this title applies to
that disclosure.
(6) An explanation
of the consumer's right under §
22.14(a) of this
title (relating to Limits on Disclosure of Nonpublic Personal Financial
Information to Nonaffiliated Third Parties) to opt out of the disclosure of
nonpublic personal financial information to nonaffiliated third parties,
including the methods by which the consumer may exercise that right at that
time.
(7) Any disclosures the
covered entity makes under §603(d)(2)(A)(iii) of the federal FCRA
(15 U.S.C.
§1681a(d)(2)(A)(iii))
(that is, notices regarding the ability to opt out of disclosures of
information among affiliates).
(8)
The covered entity's policies and practices with respect to protecting the
confidentiality and security of nonpublic personal financial information. A
covered entity provides an adequate description of its policies and practices
with respect to protecting the confidentiality and security of nonpublic
personal financial information if it does both of the following:
(A) describes in general terms who is
authorized to have access to the information; and
(B) states whether the covered entity has
security practices and procedures in place to ensure the confidentiality of the
information under the covered entity's policy. The covered entity is not
required to describe technical information about the safeguards it
uses.
(9) Any disclosure
the covered entity makes under subsection (c) of this section.
(c) Description of nonaffiliated
third parties subject to exceptions. A covered entity that discloses nonpublic
personal financial information to third parties as authorized under §
22.18 and §
22.19 of this title is not
required to list those exceptions in the initial or annual privacy notices
required by §
22.8 and §
22.9 of this title. When
describing the categories of parties to whom the covered entity makes
disclosures, it is sufficient for the covered entity to state that it makes
disclosures to other nonaffiliated companies:
(1) for the covered entity's everyday
business purposes, such as (include all that apply) to process account
transactions, maintain accounts, respond to court orders and legal
investigations, or report to credit bureaus; or
(d) Appropriate methods of categorizing
affiliates and nonaffiliated third parties.
(1) A covered entity satisfies the
requirement to categorize the affiliates and nonaffiliated third parties to
which the covered entity discloses nonpublic personal financial information
about consumers if the covered entity identifies the types of businesses in
which they engage.
(2) Types of
businesses may be described by general terms only if the covered entity uses
illustrative examples of significant lines of business. For example, a covered
entity may use the term "financial products or services" if the notice includes
appropriate examples of significant lines of businesses or services, such as
life insurer, automobile insurer, consumer banking, or securities
brokerage.
(3) A covered entity
also may categorize the affiliates and nonaffiliated third parties to which it
discloses nonpublic personal financial information about consumers using more
detailed categories.
(e)
Disclosures under exception for service providers and joint marketers. A
covered entity that discloses nonpublic personal financial information under
the exception in §
22.17 of this title to a
nonaffiliated third party to market products or services it offers alone or
jointly with another financial institution satisfies the disclosure requirement
of subsection (b)(5) of this section if it:
(1) lists the categories of nonpublic
personal financial information it discloses, using the same categories and
examples the covered entity used to meet the requirements of subsection (a)(2)
of this section, as applicable; and
(2) states whether the third party is:
(A) a service provider that performs
marketing services on the covered entity's behalf or on behalf of the covered
entity and another financial institution; or
(B) a financial institution with whom the
covered entity has a joint marketing agreement.
(f) Short-form initial notice with opt out
notice for noncustomers.
(1) A covered entity
may satisfy the initial notice requirements in §
22.8(a)(2) and
§
22.11(c) of this
title (relating to Form of Opt Out Notice to Consumers and Opt Out Methods) for
a consumer who is not a customer by providing a short-form initial notice at
the same time as the covered entity delivers an opt out notice as required in
§
22.11 of this title.
(2) A short-form initial notice must:
(A) be clear and conspicuous;
(B) state that the covered entity's privacy
notice is available on request; and
(C) explain a reasonable means by which the
consumer may obtain that notice.
(3) The covered entity must deliver its
short-form initial notice according to §
22.13 of this title (relating to
Delivery). The covered entity is not required to deliver its privacy notice
with its short-form initial notice. The covered entity may instead provide the
consumer with a reasonable means to obtain its privacy notice. If a consumer
who receives the covered entity's short-form notice requests the covered
entity's privacy notice, the covered entity must deliver its privacy notice
according to §
22.13 of this title.
(4) The covered entity provides a reasonable
means by which a consumer may obtain a copy of its privacy notice if the
covered entity:
(A) provides a toll-free
telephone number that the consumer may call to request the notice; or
(B) for a consumer who conducts business in
person at the covered entity's office, maintains copies of the notice on hand
that the covered entity provides to the consumer immediately on
request.
(g)
Reservation of right to disclose. The covered entity's notice may include:
(1) categories of nonpublic personal
financial information the covered entity reserves the right to disclose in the
future, but does not currently disclose; and
(2) categories of affiliates or nonaffiliated
third parties to whom the covered entity reserves the right in the future to
disclose, but to whom the covered entity does not currently disclose, nonpublic
personal financial information.
(h) Model privacy form. A model privacy form
that meets the notice content requirements of this section appears in 74
Federal Register 62890 (December 1, 2009). A covered entity
may use the applicable model privacy form, consistent with the instructions in
§
22.27 of this title (relating to
General Instructions).
