Current through Reg. 50, No. 13; March 28, 2025
(a) Conditions for
disclosure. Except as otherwise authorized in this subchapter, a covered entity
may not, directly or through any affiliate, disclose any nonpublic personal
financial information about a consumer to a nonaffiliated third party unless:
(1) the covered entity has provided to the
consumer an initial notice as required under §
22.8 of this title (relating to
Initial Privacy Notice);
(2) the
covered entity has provided to the consumer an opt out notice as required in
§
22.11 of this title (relating to
Form of Opt Out Notice to Consumers and Opt Out Methods);
(3) the covered entity has given the consumer
a reasonable opportunity, before it discloses the information to the
nonaffiliated third party, to opt out of the disclosure; and
(4) the consumer does not opt out.
(b) Examples of reasonable
opportunity to opt out. A covered entity provides a consumer with a reasonable
opportunity to opt out if:
(1) the covered
entity mails the notices required in subsection (a) of this section to the
consumer and allows the consumer to opt out by mailing a form, calling a
toll-free telephone number or any other reasonable means within 30 days from
the date the covered entity mailed the notices.
(2) a customer opens an on-line account with
a covered entity and agrees to receive the notices required in subsection (a)
of this section electronically, and the covered entity allows the customer to
opt out by any reasonable means within 30 days after the date that the customer
acknowledges receipt of the notices in conjunction with opening the
account.
(3) for an isolated
transaction such as providing the consumer with an insurance quote, a covered
entity provides the consumer with a reasonable opportunity to opt out if the
covered entity provides the notices required in subsection (a) of this section
at the time of the transaction and requests that the consumer decide, as a
necessary part of the transaction, whether to opt out before completing the
transaction.
(c)
Application of opt out to all consumers and all nonpublic personal financial
information.
(1) A covered entity shall
comply with this section, regardless of whether the covered entity and the
consumer have established a customer relationship.
(2) Unless a covered entity complies with
this section, the covered entity may not, directly or through any affiliate,
disclose any nonpublic personal financial information about a consumer that the
covered entity has collected, regardless of whether the covered entity
collected it before or after receiving the direction to opt out from the
consumer.
(d) Partial
opt out. A covered entity may allow a consumer to select certain nonpublic
personal financial information or certain nonaffiliated third parties with
respect to which the consumer wishes to opt out.