[Code of Federal Regulations] [Title 12, Volume 6] [Revised as of January 1, 2006] From the U.S. Government Printing Office via GPO Access [CITE: 12CFR716.6] [Page 547-549] TITLE 12--BANKS AND BANKING CHAPTER VII--NATIONAL CREDIT UNION ADMINISTRATION PART 716_PRIVACY OF CONSUMER FINANCIAL INFORMATION--Table of Contents Subpart A_Privacy and Opt Out Notices Sec. 716.6 Information to be included in initial and annual privacy notices. (a) General rule. The initial and annual privacy notices under Sec. Sec. 716.4 and 716.5 must include each of the following items of information that applies to you or to the consumers to whom you send your privacy notice, in addition to any other information you wish to provide: (1) The categories of nonpublic personal information that you collect; (2) The categories of nonpublic personal information that you disclose; (3) The categories of affiliates and nonaffiliated third parties to whom [[Page 548]] you disclose nonpublic personal information, other than those parties to whom you disclose information under Sec. Sec. 716.14 and 716.15; (4) The categories of nonpublic personal information about your former members that you disclose and the categories of affiliates and nonaffiliated third parties to whom you disclose it, other than those parties to whom you disclose information under Sec. Sec. 716.14 and 716.15; (5) If you disclose nonpublic personal information to a nonaffiliated third party under Sec. 716.13 (and no other exception applies to that disclosure), a separate statement of the categories of information you disclose and the categories of third parties with whom you have contracted; (6) An explanation of the consumer's right under Sec. 716.10(a) to opt out of the disclosure of nonpublic personal information to nonaffiliated third parties, including the methods by which the consumer may exercise that right at that time; (7) Any disclosures that you make under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)) (that is, notices regarding the ability to opt out of disclosure of information among affiliates); (8) Your policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; and (9) Any disclosures you make under paragraph (b) of this section. (b) Description of nonaffiliated third parties subject to exceptions. If you disclose nonpublic personal information to third parties as authorized under Sec. Sec. 716.14 and 716.15, you are not required to list those exceptions in the initial or annual privacy notices required by Sec. Sec. 716.4 and 716.5. When describing the categories with respect to those parties, you are required to state only that you make disclosures to other nonaffiliated third parties as permitted by law. (c) Short-form initial notice with opt out notice for nonmember consumers. (1) You may satisfy the initial notice requirements in Sec. Sec. 716.4(a)(2), 716.7(b), and 716.7(c) for a consumer who is not a member by providing a short-form initial notice at the same time as you deliver an opt out notice as required in Sec. 716.7. (2) A short-form initial notice must: (i) Be clear and conspicuous; (ii) State that your privacy notice is available upon request; and (iii) Explain a reasonable means by which the consumer may obtain that notice. (3) You must deliver your short-form initial notice according to Sec. 716.9. You are not required to deliver your privacy notice with your short form initial notice. You instead may simply provide the consumer a reasonable means to obtain your privacy notice. If a consumer who receives your short-form notice requests your privacy notice, you must deliver your privacy notice according to Sec. 716.9. (4) Examples of obtaining privacy notice. You provide a reasonable means by which a consumer may obtain a copy of your privacy notice if you: (i) Provide a toll-free telephone number that the consumer may call to request the notice; or (ii) For a consumer who conducts business in person at your office, maintain copies of the notice on hand that you provide to a consumer immediately upon request. (d) Future disclosures. Your notice may include: (1) Categories of nonpublic personal information that you reserve the right to disclose in the future, but do not currently disclose; and (2) Categories of affiliates or nonaffiliated third parties to whom you reserve the right in the future to disclose, but to whom you do not currently disclose, nonpublic personal information. (e) Examples--(1) Categories of nonpublic personal information that you collect. You satisfy the requirement to categorize the nonpublic personal information that you collect if you list the following categories, as applicable: (i) Information from the consumer; (ii) Information about the consumer's transactions with you or your affiliates; (iii) Information about the consumer's transactions with nonaffiliated third parties; and [[Page 549]] (iv) Information from a consumer reporting agency. (2) Categories of nonpublic personal information you disclose. (i) You satisfy the requirement to categorize the nonpublic personal information that you disclose if you list the categories described in paragraph (e)(1) of this section, as applicable, and a few examples to illustrate the types of information in each category. (ii) If you reserve the right to disclose all of the nonpublic personal information about consumers that you collect, you may simply state that fact without describing the categories or examples of the nonpublic personal information you disclose. (3) Categories of affiliates and nonaffiliated third parties to whom you disclose. You satisfy the requirement to categorize the affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information if you list the following categories, as applicable, and a few examples to illustrate the types of third parties in each category. (i) Financial service providers; (ii) Non-financial companies; and (iii) Others. (4) Disclosures under exception for service providers and joint marketers. If you disclose nonpublic personal information under the exception in Sec. 716.13 to a nonaffiliated third party to market products or services that you offer alone or jointly with another financial institution, you satisfy the disclosure requirement of paragraph (a)(5) of this section if you: (i) List the categories of nonpublic personal information you disclose, using the same categories and examples you used to meet the requirements of paragraphs (a)(2) of this section, as applicable; and (ii) State whether the third party is: (A) A service provider that performs marketing services on your behalf or on behalf of you and another financial institution; or (B) A financial institution with whom you have a joint marketing agreement. (5) Simplified notices. If you do not disclose, and do not intend to disclose, nonpublic personal information about members or former members to affiliates or nonaffiliated third parties except as authorized under Sec. Sec. 716.14 and 716.15, you may simply state that fact, in addition to the information you must provide under paragraphs (a)(1), (a)(8), (a)(9) and (c) of this section. (6) Confidentiality and security. You describe your policies and practices with respect to protecting the confidentiality and security of nonpublic personal information if you do both of the following: (i) Describe in general terms who is authorized to have access to the information. (ii) State whether you have security practices and procedures in place to ensure the confidentiality of the information in accordance with your policy. You are not required to describe technical information about the safeguards you use. (7) Joint notice with affiliates. You may provide a joint notice from you and one or more of your affiliates or other financial institutions, as specified in the notice, as long as the notice is accurate with respect to you and the other institution.