Consumer Privacy
Frequently
Asked Questions for the Privacy Regulation
December
2001
Contents
A. Financial
institutions, products, and services that are covered under the
Privacy Rule (q. 1-5)
B. Individuals
who are entitled to receive notices (q. 1-5)
C. Delivering
your privacy notices (q. 1-9)
D. Providing
notices to joint account holders (q. 1-5)
E. Complying
with the opt out provisions for joint account holders (q. 1-4)
F. Delivering
opt out notices and providing consumers with a reasonable opportunity
to opt out (q. 1-7)
G. Complying
with the limitations on redisclosure and reuse of nonpublic personal
information (q. 1-7)
H. Complying
with the limitation on disclosing account numbers (q. 1-2)
I. Disclosing
nonpublic personal information under the exceptions to the notice
and opt out provisions (q. 1-12)
J. Complying
with the exception to the opt out provisions for joint marketing
arrangements (q. 1-5)
Staff
of the National Credit Union Administration (NCUA), the Board
of Governors of the Federal Reserve System, the Federal Deposit
Insurance Corporation, the Office of the Comptroller of the Currency,
and the Office of Thrift Supervision developed the following
Frequently Asked Questions (FAQs) to assist financial institutions
in complying with the privacy provisions of the Gramm-Leach-Bliley
Act (GLB Act) and the agencies’ consumer privacy regulations.
NCUA’s consumer privacy regulation, 12 C.F.R. Part 716, differs
slightly from the banking agencies’ regulations because of the
nature of credit union structure and operations. Credit unions
must consider the differences in NCUA’s regulation when using
this staff guidance.
These FAQs illustrate
how select provisions of the regulations apply to specific situations
a financial institution may confront. This staff guidance addresses
a financial institution’s obligations only under sections 502-509 of the GLB Act and the agencies’ consumer privacy regulations and does
not address the applicability of the Fair Credit Reporting Act
or any other federal or state law that may pertain to the questions
and answers. Staff may supplement or revise these FAQs as necessary
or appropriate in light of further questions and experience.
A. Financial
institutions, products, and services that are covered under
the Privacy Rule
A.1. Q. Who
must comply with the Privacy Rule?
A.
Any financial institution that provides financial products or
services to consumers must comply with the privacy provisions
of Title V of the Gramm-Leach-Bliley Act (“GLB Act”) (15 U.S.C. §§ 6801-09) and the Privacy Rule. Under the banking agencies’ and NCUA’s rules,1 you are a financial institution if you engage in an activity that is financial
in nature or incidental to a financial activity, as described
in § 4(k) of the Bank Holding Company Act of 1956 (“BHC Act”) (12 U.S.C. § 1843(k)). For purposes of the banking agencies’ and NCUA’s rules, activities “described
in § 4(k) of the BHC Act” include the activities specifically listed in § 4(k) and any additional activities the Board, in consultation with the Secretary
of the Treasury, determines to be financial in nature or incidental
to a financial activity in accordance with § 4(k).
Section 225.86 of the Board’s Regulation Y lists or otherwise
references the activities that are financial in nature as of
the date of these FAQs. See 12 C.F.R. 225.86. Note, however, that additional activities the Board authorizes
in the future, such as activities approved by Board order,
may not necessarily be listed at § 225.86.
Authorized financial activities as of the date of these FAQs
include but are not limited to the following:
Lending, exchanging,
transferring, investing for others, or safeguarding money or
securities;
Insuring, guaranteeing,
or indemnifying against loss, harm, damage, illness, disability,
or death, or providing and issuing annuities, either as principal,
agent, or broker; and
Providing financial
advice, underwriting, dealing in, or making a market in securities.
You have consumers if you provide your financial products or
services to individuals to be used primarily for their personal,
family, or household purposes.
Additionally, the Privacy Rule restricts the use and disclosure
of nonpublic personal information obtained from a nonaffiliated
financial institution, as discussed below.
A.2. Q. I
am a small financial institution with no affiliates. I do not
disclose information about my customers or consumers to anyone,
except as permitted by an exception under §§ ___.14 and ___.15
of the Privacy Rule.2 Does the Privacy Rule apply to a small operation like mine?
A.
Yes. You have responsibilities under the Privacy Rule regardless
of your size, affiliate relationships, or information collection
and disclosure practices. The Privacy Rule is focused not only
on regulating the disclosure of financial information about customers
and consumers, but also on requiring each financial institution
to provide initial and annual notices of its policies to its
customers. You may, however, provide notice in a simplified
form, as illustrated by the notice described in § ___.6(c)(5).
A.3. Q. I
provide trust services. In this capacity, I serve as the trustee
of trusts whose beneficiaries are individuals. Does the Privacy
Rule apply to my trust operations?
A.
When you act as a trustee, you have a relationship with the trust.
Because the trust itself is not an individual, it is not a consumer
under the Privacy Rule. Even if the grantor and all the beneficiaries
are individuals, neither the grantor nor any of the beneficiaries
are your consumers solely because of their relationship to the
trust. If, for example, the trust requires you, as trustee,
to transfer money to a beneficiary, you provide that financial
service to the trust rather than the individual who is the beneficiary.
In other words, grantors and beneficiaries of a trust are not
your consumers unless they directly obtain a financial product
and service from you for their personal, family, or household
purposes. Accordingly, you do not have any obligations under
the Privacy Rule with respect to the trust. Your duties as a
fiduciary, however, may require you to maintain the confidentiality of information about the trust, its grantor, and
its beneficiaries.
A.4. Q. I
act as a custodian for Individual Retirement Arrangements (“IRAs”).
Are the individuals who own the IRAs my customers?
A.
Yes. An individual who establishes an IRA account for which
you act as a custodian has obtained a financial product or service
that is to be used primarily for personal, family, or household
purposes; therefore, he or she is a consumer. When an individual
selects you to act as custodian for his or her IRA, the individual
enters into a continuing relationship with you and becomes your
customer under the Privacy Rule. By contrast, an individual
who is a participant or a beneficiary of an employee benefit
plan that you sponsor or for which you act as trustee or fiduciary
is not your customer because your relationship in that case is with the plan.
A.5. Q. I
am a tax return preparer and I understand that I may be subject
to the Privacy Rule concerning the disclosure of my clients’
nonpublic personal information. However, I also am subject to
section 7216 of the Internal Revenue Code, which restricts the
use and disclosure of my customers’ federal tax return information.
Do the privacy provisions of the GLB Act and the Privacy Rule
supersede the restrictions in section 7216? May I now disclose
my customers’ federal income tax return information after I provide
them with the proper notices and give my customers a reasonable
opportunity to opt out?
A.
No. The Privacy Rule does not supersede the restrictions in
section 7216. The GLB Act and the Agencies’ implementing regulations
do not authorize a financial institution to disclose nonpublic
personal information in a way that is prohibited by some other
law. Therefore, you may not avoid the restrictions of section
7216 by providing your customers with an opt out notice and a
reasonable opportunity to opt out.
B. Individuals
who are entitled to receive notices
B.1. Q. Why
does the Privacy Rule sometimes refer to consumers and other
times to customers? Aren’t customers also consumers?
A.
All customers are consumers, but not all consumers are customers.
A consumer is an individual who obtains a financial product or
service from you that is primarily for personal, family, or household
purposes. A financial product or service includes the evaluation
or brokerage of information collected in connection with a request
or application, such as a bank’s review of loan application materials
to determine whether an applicant qualifies for a loan. A customer
is a type of consumer, namely, an individual who has an ongoing
relationship with you under which you provide a financial product
or service. Note that neither a business nor an individual who
obtains a financial product or service for business purposes
is a consumer or a customer under the Privacy Rule.
The rule distinguishes consumers from customers because your
responsibilities to provide notices to consumers and to customers
differ in several respects.
You must give all
your customers initial privacy notices.
You must give initial
notices (or short form notices) to consumers who are not your
customers only if you intend to disclose nonpublic personal information about those consumers
to nonaffiliated third parties (unless an exception in §§ ___.14 or ___.15 applies such that no initial notice is required prior to the disclosure).
You must give annual
privacy notices to your customers as long as they remain your
customers.
You are never required
to send annual notices to consumers who are not your customers.
It is important to remember that all consumers are entitled to
the same protection from disclosures of nonpublic personal information
under this regulation regardless of whether they are customers.
You therefore must not disclose the nonpublic personal information
of any consumer or any customer to any nonaffiliated third party
outside of the exceptions in §§ ___.13 – ___.15 unless you provide a privacy notice and a reasonable opportunity
to opt out, and the consumer or customer does not opt out.
B.2. Q. I
occasionally make business loans to sole proprietors. Do I have
to provide them with a privacy notice?
A.
Although a sole proprietor is an individual, if the sole proprietor
obtains a loan from you for business purposes he or she is not
a “consumer” for purposes of the Privacy Rule. Therefore, you
do not have to provide any privacy notices to the sole proprietor.
B.3. Q. Is
a guarantor or an endorser of a consumer loan considered my consumer
or customer?
A.
A guarantor or endorser of a consumer loan is your customer because
the individual assumes secondary liability on the loan he or
she guarantees or endorses and thereby receives an extension
of credit from you. You may, however, treat the primary borrower
and the guarantor or endorser as joint account holders. As a
result, you may deliver a single privacy notice to the joint
account holders in accordance with § ___.9(g). If you disclose information to nonaffiliated third parties outside
of the exceptions in §§ ___.13 – ___.15, you must also provide the primary borrower and the guarantor/endorser
with an opportunity to opt out. You may deliver a single opt
out notice to the joint account holders under § ___.7(d).
B.4. Q. Non-U.S.-resident
consumers conduct business at my U.S. offices. Do the privacy
regulations apply in cases where consumers live in another country?
A.
Yes. The privacy regulations apply to all United States offices
of entities for which the federal financial institution regulators
have primary supervisory authority, regardless of where the consumer
lives.
B.5. Q. Is
a person who only browses my web site my consumer?
A.
No. The person does not obtain a financial product or service
from you merely by browsing your web site.
C. Delivering
your privacy notices
C.1. Q. I
issue credit cards to consumers. Very often, I take credit card
applications by telephone and approve them within minutes. My
customers wish to begin using their new accounts right away.
When must I deliver initial notices in these cases?
A.
You cannot deliver your privacy notice solely by explaining it
over the telephone. However, you may provide an initial notice
within a reasonable time after establishing a customer relationship
if (i) providing it when you establish that relationship would
substantially delay the customer’s transaction, and (ii) the
customer agrees to a later delivery. In the case of approving
a credit card application by telephone, waiting until you have
time to mail the notice would substantially delay the customer’s
use of a new credit account. As long as your new customer agrees
to receive the notice later, you may deliver it within a reasonable
time after establishing the customer relationship.
Notwithstanding that exception, delayed delivery of an initial
notice does not alter the restrictions on disclosing nonpublic
personal information. That is, if you delay delivering your
initial notice to a customer, you may not disclose that customer’s
nonpublic personal information to any nonaffiliated third party
(except as permitted by the exceptions under §§ ___.14 and ___.15)
before you provide the notices and a reasonable opportunity to
opt out, in accordance with §§ ___.7 and ___.10.
C.2. Q. I
am a financial institution with several subsidiaries. Must each
affiliated financial institution issue a separate privacy notice?
If affiliated financial institutions are permitted to combine
their notices, how may we identify them in the notice?
A.
You and your subsidiaries may share common privacy policies and
practices and you may combine your respective privacy notices
into a joint notice. However, any joint notice must be accurate
as to each institution, must be clear and conspicuous, and must
identify which institutions it covers.
You do not have to list each financial institution by its particular
legal name. Instead, if each institution shares the “ABC” name,
then the joint notice could state that it applies to “all institutions
with the ABC name” or “in the ABC family of companies.” Conversely,
if an affiliated institution does not have ABC in its name, then
your notice must separately identify that institution.
C.3. Q. My
privacy notice must identify “categories” of nonpublic personal
information I collect and categories of affiliates and nonaffiliated
third parties with which I share that information. How detailed
do the categories need to be?
A.
The Privacy Rule does not require your privacy notices to describe
in detail the information you collect or disclose. Moreover,
you are not required to identify by name parties to whom you
may make disclosures. Rather, you may describe the types, or
categories, of information you collect and disclose, and the
types of third parties to whom you disclose the information.
These categories must be representative of your policies and
practices. Because the examples in the rule that describe categories
of information and parties to whom you disclose information are
not exclusive, you may describe the items in § ___.6(a)(1)-(9) that apply to you by using other reasonably understandable language
that informs a consumer about your privacy policies and practices. You also may use different language and may provide additional detail as appropriate
to explain your policies and practices to your consumers. In addition, the Privacy Rule requires you to address only those items that apply
to you. Your initial notice must accurately describe your policies
and procedures as of the time you provide the notice to a consumer
or customer. A notice also may be accurate even if it reflects
anticipated as well as current policies and practices.
C.4. Q. Won’t
my annual notice look just like my initial notice?
A.
The initial and annual notices may be identical because the required
contents for your initial notice are the same as those for your
annual notice. You must, of course, incorporate any revisions
you make to your privacy policy into your annual notice.
Your annual notice, like your initial notice, must describe any
right of consumers to opt out of disclosures you may make and
must describe how consumers may opt out. If the only opt out
method you allow is for consumers to send you a specific opt
out form, then you must include that form with your initial and
annual notices.
C.5. Q.
After I provide an initial privacy notice to my customer, the
Privacy Rule requires me to deliver privacy notices to that
customer not less than annually during the continuation of
the customer relationship. What does “annually” mean?
A. “Annually” means at least once in any period of
12 consecutive months
during which a customer relationship exists. If you use the
calendar year as your notice period, you have the flexibility
to give the first annual notice to a customer at any point in
the calendar year following the year in which the customer relationship
is established. Thereafter, you are expected to provide annual
notices on a consistent basis. Any period of more than 12 consecutive
months between annual notices should have an appropriate business
justification.
C.6. Q. Can
I combine my privacy notice with other consumer disclosures,
such as those under the Truth in Lending Act (Regulation Z) or
the Truth in Savings Act (Regulation DD)?
A.
The Privacy Rule does not prohibit you from combining your privacy
notices with other information. However, you still must comply
with all applicable requirements, such as those governing form,
content, and delivery of notices. For example, if you combine
your privacy notice with a disclosure under Regulation Z or Regulation
DD, each component of the combined notice/disclosure must comply
with the “clear and conspicuous” requirements in the regulation
governing that component.
C.7. Q. I
do not disclose any nonpublic personal information about my customers
to any affiliates or nonaffiliated third parties, except under
the conditions described in §§ ___.14 and ___.15 (exceptions to notice and opt out requirements). What aspects
of my privacy policies and practices must my notice address?
A.
In this case, you may use a simplified notice. A simplified
notice is sufficient if it:
Describes the categories
of nonpublic personal information you collect;
States the fact
that you do not share nonpublic personal information about your
customers or former customers to affiliates or nonaffiliated
third parties, except as authorized by law; and
Describes your policies
and practices for protecting the confidentiality and security
of consumers’ nonpublic personal information (under § 501(b) of the GLB Act).
C.8. Q. I
own and operate several ATMs. Many consumers who use them are
not my customers. I disclose to nonaffiliated third parties
nonpublic personal information about those consumers other than
as permitted by the exceptions in §§ ___.14 or ___.15, so I
must provide them with the required notices when they use my
ATMs. But ATM screens are very small. Am I required to purchase
machines with screens large enough to hold my privacy policy?
Must I make consumers click through dozens of tiny screens of
information?
A.
Neither new machines nor multiple screens are necessary. You
must provide an opt out notice, as required under § ___.7. This notice must state that you disclose nonpublic personal information
about the consumer to nonaffiliated third parties, state that
the consumer has a right to opt out of that disclosure, and provide
a reasonable opportunity for the consumer to opt out (such as
by requiring the consumer to decide whether to opt out as a necessary
part of the transaction). § ___.10(a)(3)(iii). In addition to the opt out notice, you must provide an
initial privacy notice. For consumers who are not your customers,
you may provide a short-form initial notice with an opt out notice.
§ ___.6(d). This short-form notice must state that your privacy policy is available
upon request and it must describe a reasonable means for the
consumer to get your privacy notice. As with any privacy notice,
the opt out notice and the short-form initial notice must be
clear, conspicuous, and accurate. These notices must be delivered
in a manner so that the consumer can agree to receive the notices
electronically, such as by acknowledging receipt of the notices
as a necessary step to completing the transaction at the ATM.
§ ___.9(a).
C.9. Q. I
am a small bank. I want to offer credit cards to my customers,
but I am too small to handle a credit card operation. Instead,
I contract with others to help me. When my customer indicates
an interest in getting a credit card, I supply an application
form. That form makes clear that the lender is a large bank
(“Large Bank”). I am not affiliated with the Large Bank. The
customer sends the completed form directly to the Large Bank,
so that I do not “collect” the application information within
the meaning of § ___.3(c). The Large Bank issues the credit card for approved applicants, with
its name on the back. My name and logo are prominent on the
front of the credit card. Who must provide the initial privacy
notice?
A.
When a financial institution makes a consumer loan, as the Large
Bank does in this case, it has a customer relationship with that
consumer. The Large Bank, therefore, must provide an initial
privacy notice and must provide annual notices as long as the
credit card relationship continues. You are not required to
send any new notices to your customers because you do not appear
to be providing any financial product or service to them in connection
with this credit card product.
D. Providing
notices to joint account holders
D.1. Q. I
have two depositors who hold one account jointly. The depositors
share the same address. When notice is required, may I mail
just one privacy notice?
A.
Yes, you may mail one notice to two or more joint account holders
at the same address. § ___.9(g).
D.2. Q. What
if those same account holders have different addresses?
A.
You still may mail one notice to all accountholders jointly at
one account holder’s address. § ___.9(g).
D.3. Q. One
account holder, A, maintains with me a single account and a joint
account with another consumer, X. What are my obligations to
send privacy notices to A and X? Can I satisfy the initial privacy
notice requirement by sending just one notice?
A.
In some cases, one notice may be sufficient. For example, if
A and X open the joint account first and A subsequently opens
an individual account, you need not provide an additional initial
notice to A if the most recent notice you provided to A as part
of the joint account is accurate as to the individual account.
§ ___.4(d). If A already has an individual account with you but X becomes your
customer at the time the joint account is opened, you must provide
an initial notice to X with respect to the joint account. § ___.4(a). However, you may deliver the initial notice either to A or to X by
providing one notice to those consumers jointly. § ___.9(g). For example, you may deliver one notice addressed to both A and X.
You subsequently may satisfy the annual and revised notice requirements
by sending one notice regarding the joint account either to A
or X.
D.4. Q. One
depositor, A, has two different joint accounts, one with X and
the other with Y. When annual or revised notices are required
as to both accounts, how many notices must I provide?
A.
Annual and revised notices pertaining to each of the joint accounts
may be provided either to A or to both of the other account holders
respectively. Thus, one notice to A is sufficient, as long as
the notice is accurate as to both accounts. § ___.9(g). The Privacy Rule does not require you to mail two identical notices
to A, one for each account.
However, you must neither disclose to X that A has a joint account
with Y nor disclose to Y that A has a joint account with X, unless
these facts are publicly available. The fact that a consumer
is a financial institution’s customer is nonpublic personal information,
unless you have a reasonable basis to believe that the customer
relationship is a matter of public record.
D.5. Q. Assume
the same facts as Question D.4. What if the two joint account
holders with A, X and Y, have different addresses?
A.
You still may provide one notice to A. However, in any communications
with X and Y, you must not disclose to X the fact that A has
a joint account with Y, nor may you disclose to Y that A has
a joint account with X, unless you have a reasonable basis to
believe this information is publicly available.
E. Complying
with the opt out provisions for joint account holders
E.1. Q.
I have two depositors who hold one account jointly. Must I deliver
a separate opt out notice to each account holder and allow each
of them to opt out individually? Suppose I mail only one opt
out notice for that
account, and one
of the joint holders checks “I opt out” and returns it to me.
To whom does the opt out decision apply?
A.
You may deliver either a single opt out notice to one of the
account holders or a separate notice to each account holder.
In either case, the notice must permit one joint account holder
to opt out on behalf of all holders of the account. So long
as your notice fulfills this requirement, you also may permit
joint account holders to opt out individually.
The answer
to your second question depends upon how you have designed your
opt out notice. Your notice must permit one joint account holder
to opt out on behalf of all holders of that account. However,
you have several ways to do this. For example, your notice may
contain one box that, when checked, will result in an opt out
by the person checking the box and all other individuals on the
account. Alternatively, the opt out notice may provide boxes
that enable each individual on the account to opt out separately,
as well as a box that permits one account holder to opt out on
behalf of everyone on the account.
With either
option your opt out notice must clearly and conspicuously describe
how each applicable opt out selection will be treated. For example,
the opt out selection for all account holders should disclose
that the customer making that selection is opting out for all
account holders with respect to information concerning that joint
account. Similarly, the “individual” opt out selection should
explain that the selection applies only to the customer making
the selection.
If you already are disclosing nonpublic personal information
because you did not receive an opt out direction after sending
your initial notice, each joint account holder still may choose
to opt out at a later date. You must abide by any subsequent
opt out decision as soon as reasonably practicable after you
receive it, and you must not delay complying with one individual
account holder’s opt out direction until the remaining account
holder(s) opt out.
Once a consumer opts out, whether during the initial opt out
period or subsequently, you must not share the consumer’s nonpublic
personal information to which the opt out applies unless and
until the consumer subsequently revokes his or her opt out
direction. § ___.7(g)(1).
E.2. Q.
I allow joint account holders X and Y to make independent opt
out elections. For opt outs, I use reply forms with check-off
boxes. Must I mail two opt out response forms for one joint
account?
A. No,
only one is necessary. However, you must allow each account
holder a reasonable amount of time to opt out before disclosing
any nonpublic personal information about him or her. For example,
suppose you normally allow each consumer thirty days to opt out,
and you immediately receive an opt out instruction from X but
not from Y. You still must allow Y the standard thirty days
to opt out before you may disclose any nonpublic personal information
relating to the joint account. You may disclose nonpublic personal
information about Y if Y does not opt out within the reasonable
opt out period, but only to the extent such a disclosure would
not reveal nonpublic personal information about X.
E.3. Q.
I allow joint account holders to make independent opt out elections.
May I require each account holder to opt out in a separate response?
A.
No. You must allow both account holders a reasonable opportunity
to opt out in one response, such as one opt out form or in one
call to your toll-free opt out line.
E.4. Q.
I allow joint account holders, X and Y, to make independent opt
out elections. Suppose that X opted out, but Y did not respond.
What nonpublic personal information about X and Y may I disclose?
A.
Because X has opted out, you must not disclose any nonpublic
personal information about X, except as permitted by an exception
at §§ ___.13, ___.14, or ___.15. In addition, you must not disclose nonpublic personal
information about Y except as permitted by an exception if the
disclosure of that information also would disclose nonpublic
personal information about X.
For example, suppose that X and Y are married, share the same
surname, reside at the same address, and jointly hold a savings
account with you. You may disclose nonpublic personal information
relating to that account about Y, such as the average monthly
balance in the account, as long as that disclosure does not include
any nonpublic personal information about X. Furthermore, you
must not disclose the fact that Y holds the joint account together
with X.
F. Delivering
opt out notices and providing consumers with a reasonable opportunity
to opt out of disclosures
F.1. Q.
Must I provide opt out notices if I do not disclose nonpublic
personal information to nonaffiliated third parties, except as
permitted under one of the exceptions under §§ ___.13, ___.14, or ___.15?
A.
No. If you disclose nonpublic personal information only under
one or more of those exceptions, you need not provide any opt
out notices. Nonetheless, be aware that if you disclose nonpublic
personal information under § ___.13, then you must provide an initial notice that includes a separate statement
that describes that disclosure. Also, you must provide an annual
notice to your customers regardless of your disclosure policies
and practices. § ___.5.
F.2. Q.
What are some reasonable means of allowing consumers an opportunity
to opt out?
A.
You may provide various opt out methods that are reasonable,
depending on the circumstances surrounding the financial product
or service. For example, for new customers who open credit card
accounts, you may deliver a form with a check-off box that they
can check and return to you. If you use this method, you must
deliver the check-off form with your opt out notice. You also
may provide a toll-free telephone number that consumers can call
to opt out. §§ ___.7(a)(2)(ii), ___.10(a)(3)(i).
The Privacy Rule provides that you may require a consumer to
opt out through a specific means if that means is reasonable
for that particular consumer. § ___.7(a)(2)(iv). For example, you may require a consumer who has agreed to the
electronic delivery of notices to opt out by using a process
available on your web site if that consumer uses your web site
to access financial products or services. You also may require
a consumer who conducts an isolated transaction at your branch,
ATM, or office in person to decide whether to opt out as a necessary
part of completing the transaction and to use the means you specify
to effect his or her opt out direction. § ___.10(a)(3)(iii).
Note that you may allow any consumer to opt out by e-mail or by using a process available on your web
site, but you may not require the consumer to use an electronic method if the consumer has not agreed to electronic
delivery of notices. Under these circumstances, you must provide
other reasonable methods for the consumer to opt out.
No particular
method described in an example in the Privacy Rule is strictly
required and there may be other reasonable methods for allowing
a consumer to opt out of disclosures. Some methods to opt out,
however, are unreasonable. For instance, you must not require consumers to write their own letters to opt out as the only opt out
method. § ___.7(a)(2)(iii)(A).
F.3. Q.
If I allow my customers to mail a form to indicate their opt
out election, am I required to provide my customers with a postage-paid
envelope so they can mail the form back?
A.
No. You are not required to provide an individual with a postage-paid
envelope to meet the requirement that you provide a reasonable
means for consumers to opt out.
F.4. Q.
In our initial and annual notices, our bank would like to provide
a tear-off opt out form and our privacy policies on the front
and back of a single sheet of paper. Is this permissible?
A.
Yes, provided the opt out form may be detached without removing
text from your privacy policy. However, if by detaching the
opt out form the customer removes text from the privacy policy,
the practice may violate § ___.9(e). This section requires
a financial institution to provide its privacy notices in a form
in which a customer can retain them or obtain them later. If
the customer would remove text from your privacy policy by detaching
the opt out notice, then you should either redesign the privacy
notice or have procedures in place to provide a customer with
the complete text of your privacy notice upon request.
F.5. Q.
I provide consumer credit cards. I would like to disclose to
nonaffiliated third parties different types of nonpublic personal
information about my customers, such as their addresses and their
account information. The nonaffiliated third parties are not
financial institutions with which I have a joint agreement.
I realize that I must allow my customers to opt out of all these
disclosures, but may I give them the choice to opt out of disclosures
of certain categories of information as well as all categories
of information to nonaffiliated third parties?
A.
Yes. You must allow your customers to opt out of all these disclosures
to nonaffiliated third parties. Additionally, you may allow
your customers to choose to opt out of some types of disclosures,
rather than simply all of those disclosures. For example, you
may allow your customers to opt out of disclosures of account
information and provide a separate opportunity for customers
to opt out of disclosures of their addresses. § ___.10(c).
F.6. Q.
I make consumer loans. I would like to disclose my customer
list to nonaffiliated clothing retailers and to nonaffiliated
automobile dealers. These nonaffiliated third parties are not
financial institutions with which I have a joint agreement.
I realize that I must allow my customers to opt out of all these
disclosures. But may I also give them the choice to opt out
of disclosures to certain kinds of nonaffiliated third parties
without having to opt out of disclosures to all kinds of third
parties?
A.
Yes. You must allow your customers to opt out of all these disclosures.
Additionally, you may allow your customers to choose to opt out
of disclosures to some kinds of nonaffiliated third parties instead
of simply all of those parties. For example, you may allow your
customers to opt out of disclosures to clothing retailers and
allow a separate opportunity for the same customers to opt out
of disclosures to automobile dealers.
F.7. Q.
We deliver opt out notices by mail and allow our new customers
30 days to opt out before we begin sharing their information
with nonaffiliated third parties. Section ___.7(e) provides
that a financial institution must comply with a consumer’s opt
out direction as soon as reasonably practicable after the financial
institution receives it. It may take our bank up to five weeks
to process an opt out direction. If we mail a new customer a
privacy and opt out notice on September 1 and we receive the
customer’s opt out direction on September 15, may we share that
individual’s nonpublic
personal information between September 15 and October 22 -- the
date by which we can process the opt out?
A. No. Because
your question concerns a new customer rather than an existing
one, the standard in § ___.10(a)(1) rather than that in § ___.7(e) applies. Section ___.10(a)(1) of the Privacy Rule provides that a financial
institution may not share a consumer’s nonpublic personal information
unless the institution has given the consumer an initial privacy
notice, an opt out notice, and a reasonable opportunity to opt
out, and the consumer has not opted out. If your customer opts
out at any point within the 30-day period in your example, then
you would not be able to disclose that individual’s information
to nonaffiliated third parties unless the customer subsequently
revoked the opt out direction. § ___.7(g)(1).
Section ___.7(e) applies only where the financial institution
is already lawfully disclosing nonpublic personal information
of existing customers or consumers to nonaffiliated third parties.
Because the Privacy Rule permits consumers to opt out at any
time, § ___.7(e) provides an institution with a reasonable period
of time to process an existing consumer’s opt out election before
the institution must cease disclosing the consumer’s information.
The institution must process the opt out election as soon as
reasonably practicable. For example, following the 30-day period
that you provide initially for your customers to opt out, you
may disclose the nonpublic personal information of those individuals
who have not exercised their right to opt out. However, you
must honor any subsequent opt out election by any of those customers
“as soon as reasonably practicable.”
G. Complying
with the limitations on redisclosure and reuse of nonpublic personal
information
I. Nonpublic
personal information disclosed under an exception
I am a
consumer lender, but a nonaffiliated third party (“Servicer”)
services my loans. I disclose nonpublic personal information
to the Servicer under an exception for that purpose. I have
the following questions.
G.1. Q. I
disclose nonpublic personal information about my customers to
the Servicer so the Servicer can process transactions that the
customers have requested. May the Servicer disclose the information
it collects from me about my customers to a retail merchant that
is not affiliated with me?
A.
Generally, no. When the Servicer receives nonpublic personal
information about your customers under an exception to the notice
and opt out provisions, such as in connection with servicing
your loans, the Servicer’s use and disclosure of that information
is limited. The Servicer must not disclose any nonpublic personal
information to a retail merchant not affiliated with you unless
the Servicer may do so under an applicable exception in §§ ___.14 or ___.15. For example, the Servicer may not provide information about
your customers to the retail merchant for marketing purposes.
G.2. Q. May
the Servicer disclose the nonpublic personal information to my
affiliate?
A.
Yes. The Privacy Rule explicitly provides that the Servicer
may disclose the information to your affiliate. § ___.11(c)(1).
G.3. Q. May
the Servicer disclose the information to the Servicer’s affiliate?
A.
Yes, but the Servicer’s affiliate may disclose and use the information
only as the Servicer could disclose and use it. § ___.11(c)(2). The Servicer’s affiliate therefore may use the information to service
your loans. The affiliate also may disclose the information
under an applicable exception in §§ ___.14 or ___.15 in the ordinary course of business to carry out the activity
covered by the exception under which the Servicer received the
information.
II. Nonpublic
personal information disclosed outside of an exception
I am a
consumer lender and am affiliated with a property insurer. In
my privacy notices I inform consumers that I disclose nonpublic
personal information to my affiliated insurance company. My
privacy notice also states that, if a consumer does not opt out,
I may disclose nonpublic personal information about the consumer
to nonfinancial companies, such as retailers.
Among
the nonaffiliated third parties to whom I disclose information
are an automobile dealer and a residential plumbing company.
The plumbing company is affiliated with a company that sells
air conditioning products and services.
I have
the following questions about disclosing information about consumers
who do not opt out.
G.4. Q. I
disclose information about my customers who do not opt out to
a residential plumbing company. Can the plumbing company use
the information for marketing purposes?
A.
Yes. This is permissible because you disclosed nonpublic personal
information to the plumbing company in accordance with the notice
and opt out provisions of the GLB Act. § 502(a)-(b) of the Act,
codified at 15 U.S.C. § 6802(a)-(b). In other words, you disclosed information about a consumer consistent
with your privacy notice and the consumer’s choice not to opt
out.
As illustrated in the following questions and answers, when the
plumbing company receives from you nonpublic personal information
about a consumer who has not elected to opt out, the company
is free to use the information for marketing or other purposes.
However, the plumbing company may disclose the nonpublic personal
information it receives from you only if such a disclosure is
consistent with the restrictions on disclosure of the information
described in your privacy policy. § ___.11(d). The plumbing company therefore is required to honor any subsequent
opt out elections made by consumers pursuant to your privacy
policy and accordingly must have a mechanism through which it
can monitor and implement subsequent opt out elections you receive.
G.5. Q. One
of my affiliates sells insurance. May the plumbing company,
who received my customers’ information outside an exception,
disclose that information to my affiliated insurer?
A.
Yes. The Privacy Rule explicitly provides that the plumbing
company may disclose the information to your affiliate. § ___.11(d)(1).
G.6. Q. I
disclosed information to the plumbing company outside an exception.
The plumbing company is affiliated with an air conditioning company.
The air conditioning company is not affiliated with me. May
the plumbing company disclose my consumers’ nonpublic personal
information to that air conditioning company?
A.
Yes. The Privacy Rule permits a party that receives nonpublic
personal information outside of an exception to disclose that
information to its affiliates. In this case, therefore, the
plumbing company may disclose the information to its affiliated
air conditioning company. However, the affiliated air conditioning
company may, in turn, disclose the information only to the extent
that the plumbing company may, consistent with your privacy notice.
§ ___.11(d)(2).
G.7. Q. I
disclosed information to the plumbing company outside an exception.
May the plumbing company disclose my consumers’ nonpublic personal
information to a nonaffiliated automobile parts retailer?
A.
Yes. The Privacy Rule permits a party that receives nonpublic
personal information outside of an exception to disclose that
information to another nonaffiliated third party, provided that
it would be lawful for the original financial institution to
make that disclosure directly to that party. Under your privacy
notice, it would be lawful for you to disclose nonpublic personal
information about those consumers who chose not to opt out to
the automobile parts retailer. § ___.11(d)(3). However, the plumbing company could not disclose nonpublic personal
information obtained from you to other nonaffiliated retailers
if your privacy policy would not permit such disclosures.
H. Complying
with the limitation on disclosing account numbers
H.1. Q. I
am a depository institution. I transform my customers’ account
numbers into encrypted forms that can be used solely to identify
those customers. I enter into an arrangement with a third party
telemarketing firm whereby I disclose my customers’ names, telephone
numbers, and encrypted identifying numbers. The third party
telemarketing firm uses that information to market products (other
than products I offer) to those customers. For those customers
who agree to purchase the products, the third party telemarketing
firm submits their encrypted identifying numbers to me, and I
decrypt them into account numbers. At the end of this process,
am I permitted to disclose the customers’ actual account numbers
to the third party telemarketing firm so that the telemarketing
firm can initiate the charges to the customers’ accounts?
A.
No. Section ___.12 generally prohibits you from disclosing credit
card, deposit, or other transaction account numbers “for use
in telemarketing, direct mail marketing, or other marketing through
electronic mail to the consumer.” Accordingly, you must not
provide your customers’ account numbers to the third party telemarketing
firm “for use in telemarketing.”
The primary reason a marketer seeks access to a customer’s account
number is to allow the marketer to initiate a charge to the customer’s
account as part of the transaction. Section ___.12 prohibits
you from disclosing customer transaction account numbers to the
third party telemarketing firm to initiate a charge to a customer’s
account even after a customer accepts the product. Moreover,
the general exceptions for notice and opt out under §§ ___.14 and ___.15, including the exception for disclosing information with the
consent or at the direction of the consumer, do not apply to
disclosures of account numbers for use in marketing that are
prohibited by § ___.12.
Section ___.12 provides only three exceptions. A financial institution
may disclose its customers’ account numbers to: (i) a consumer
reporting agency; (ii) its agent to market the institution’s
own products or services, provided that the agent is not authorized
to directly initiate charges to the account; or (iii) another
participant in a private label credit card or an affinity or
similar program involving the institution. Because none of these
exceptions applies in your case, you must not provide your customers’
account numbers to a third party telemarketing firm so that it
can initiate the charges to the customers’ accounts.
H.2. Q. I
would like to enter into an arrangement with a nonaffiliated
insurance agency that markets its products to my customers through
direct mail solicitations. The proposed arrangement contemplates
that I would disclose a customer’s account number to the insurance
agency’s affiliate. The affiliate then would use the account
number to debit the purchase price from my customer’s account
in response to these solicitations. The affiliate’s only role
in the arrangement would be initiating the charges. Does the
Privacy Rule allow me to disclose a customer’s account number
to the insurance agency’s affiliate under these circumstances?
A. No. The
Privacy Rule prohibits you from disclosing your customers’ account
numbers to any nonaffiliated third party for use in marketing. § ___.12(a). Although the affiliate in your hypothetical does not distribute marketing
materials but only initiates charges, its conduct of that activity
is an integral part of your marketing arrangement with the insurance
company. The disclosure of a customer’s account number to the
insurance company’s affiliate under these circumstances therefore
would be a disclosure for use in marketing that violates the
Privacy Rule.
I. Disclosing
nonpublic personal information under the exceptions to the
notice and opt out provisions
I.1. Q.
I offer consumer checking accounts. I notify my customers that,
among other things, I make disclosures as permitted by law.
Merchants sometimes call me and ask whether a particular consumer’s
checking account has sufficient funds to cover a check to the
merchant. How does the Privacy Rule apply to my response to
the merchant’s question?
A.
The Privacy Rule allows you to disclose nonpublic personal information
about your consumers without providing them a reasonable opportunity
to opt out under certain circumstances. These exceptions to
the opt out requirement are described at §§ ___.13 – ___.15 of
the Privacy Rule. For example, you do not need to allow your
customer to opt out of a disclosure made in connection with processing
or clearing checks (§ ___.14(b)(2)(vi)(A)) or for the purposes of preventing actual or potential fraud,
unauthorized transactions, claims, or other liability (§ ___.15(a)(2)(ii)). Therefore, if you have notified your customer that you make
disclosures as permitted by law, you may disclose whether your
customer’s checking account has sufficient funds to cover a check,
regardless of whether or not the customer has exercised his or
her opt out rights.
Be aware of the possibility that the caller may be attempting
to obtain information about your customer through false or fraudulent
statements to you. Toward this end, you must ensure that you
respond to the caller in accordance with the controls you have
implemented as part of your information security program, as
provided for by the applicable provisions of the banking agencies’
Interagency Guidelines Establishing Standards for Safeguarding
Customer Information and the NCUA’s Guidelines for Safeguarding
Member Information (the “security guidelines”). See 66 Fed. Reg. 8616 (February 1, 2001) and 66 Fed. Reg. 8152 (January 30, 2001).
I.2. Q.
While we may confirm funds availability to a merchant where our
customer seeks to pay for merchandise with a check under the
exceptions in §§ ___.14 and ___.15, may we confirm funds availability
to an individual who is not a merchant for the same purpose?
For instance, if our customer wants to use a check to purchase
a used car from an individual seller, may we respond to the seller’s
request about the availability of funds in the customer’s account
under these exceptions?
A.
Whether or not someone is a “merchant” is not material to determining
if you may disclose customer information pursuant to the exceptions
in §§ ___.14 and ___.15. You should determine whether the third
party to whom you intend to disclose information actually is
involved in carrying out a financial transaction that is requested
or authorized by your customer. Check verification is permitted
under the exceptions to the notice and opt out provisions, such
as in connection with processing or clearing a check under §
___.14(b)(2)(vi)(A), and under § ___.15(a)(2)(ii) to protect
against or prevent actual or potential fraud or unauthorized
transactions.
As discussed in the answer above, if you make such a disclosure
you should take appropriate measures to ensure that the individual
inquiring has a legitimate need for the information and is not
engaging in an attempt to obtain customer information fraudulently.
Concerns about properly safeguarding customer information are
heightened in a situation in which you disclose nonpublic personal
information to an individual rather than to a known merchant.
I.3. Q.
I offer consumer checking accounts. I notify my customers that,
among other things, I make disclosures as permitted by law.
My checking account customers deposit checks made payable to
my customer but drawn on a financial institution unaffiliated
with me. My practice is to write my customer’s account number
on the back of the deposited check to facilitate its processing.
The check itself then goes to the maker’s financial institution,
with my customer’s account number on the check. Is this a disclosure
of nonpublic personal information that would be subject to opt
out requirements or the prohibition against sharing account numbers?
A.
No. The opt out provisions do not apply to disclosures in connection
with servicing or processing a financial product or service that
a consumer requests or authorizes. Nor do they apply to disclosures
that are required, or are a usual, appropriate, or acceptable
method in connection with settling, processing, clearing, transferring,
reconciling or collecting amounts charged, debited or otherwise
paid. §§ ___.14(a), ___.14(b)(2)(vi)(A). Also, because the account number is added to the check
solely for use in processing the check and is not used in connection
with marketing by a third party, this disclosure is not prohibited
by the ban on disclosing account numbers for marketing purposes.
§ ___.12.
I.4. Q.
I made a loan to a consumer who defaulted. In trying to collect
the bad loan, I wish to learn information to locate the defaulting
borrower. I believe that a financial institution unaffiliated
with me may have some helpful information about the borrower.
If I were to ask that institution for information, I would disclose
nonpublic personal information, such as the fact that I have
a loan to a particular consumer. I previously notified my borrower
that, among other things, I make disclosures as permitted by
law. Must I allow my borrower to opt out of my question to the
financial institution?
A.
No. You may disclose nonpublic personal information to the financial
institution without complying with the opt out provisions as
necessary to enforce a consumer loan where the disclosure is
required or is one of the lawful or appropriate methods to enforce
your rights. § ___.14(b)(1).
I.5. Q.
A financial institution that is not affiliated with me made a
loan to a consumer who defaulted. In trying to collect the bad
loan, the lender wishes to learn information to locate the defaulting
borrower. The lender believes that I may have some helpful information
about the borrower and asks me to disclose nonpublic personal
information. I notify my consumers that, among other things,
I make disclosures as permitted by law. May I disclose nonpublic
personal information to help the lender try to collect a bad
loan without providing opt out notices?
A.
Where you have notified your consumer that you make disclosures
as permitted by law, you may make disclosures to “persons holding
a legal or beneficial interest relating to the consumer,” or
under the appropriate circumstances, “to protect against or prevent
actual or potential fraud, unauthorized transactions, claims,
or other liability,” without providing opt out notices and a
reasonable opportunity for a consumer to opt out. § ___.15(a)(2)(iv); § ___.15(a)(2)(ii). Thus, disclosures to the lender may be permissible without
complying with the opt out provisions.
As stated above, you must be aware of the possibility that the
party requesting the information may be attempting to obtain
that information about your customer through false or fraudulent
statements to you.
I.6. Q.
I make consumer loans. I notify my customers that, among other
things, I make disclosures as permitted by law. A state law
requires me to disclose to the state the names, addresses, social
security numbers, and account balances of individuals the state
believes have failed to make required child support payments.
Does the Privacy Rule require me to allow my customers to opt
out of disclosures to the state under this state law?
A.
No. The Privacy Rule exempts from the opt out provisions any
disclosures you make “[t]o comply with Federal, State, or local
laws, rules and other applicable legal requirements.” § ___.15(a)(7)(i).
I.7. Q.
Must I provide a privacy notice to consumers who are not my customers
when I have to report information about denied mortgage applicants
under the Home Mortgage Disclosure Act (“HMDA”)?
A.
No. If the information that HMDA requires you to disclose is
not personally identifiable, the Privacy Rule would not apply
to your disclosure of that information. Alternatively, if you
disclose nonpublic personal information to comply with the law,
you may disclose the information under § ___.15(a)(7)(i) without
providing a privacy notice to consumers who are not your customers.
I.8. Q.
We often receive phone calls from auto dealers or other financial
institutions requesting loan pay-off amounts on our customers.
May we respond to these requests without providing those customers
with a reasonable opportunity to opt out of that kind of disclosure?
A.
Yes, if the disclosure is in connection with servicing or processing
a financial product or service from the third party that the
customer has requested or authorized. In your case, for example,
you may disclose loan pay-off information to a third party lender
where your customer seeks to refinance the bank loan with the
other lender. Alternatively, you may disclose nonpublic personal
information that is required, or is a usual, appropriate or acceptable
method to carry out the transaction that the customer has requested
or authorized. § ___.14(a). This would be the case, for example, if the car dealer accepts your
customer’s car as partial consideration for the purchase of another
vehicle and wants to know the outstanding amount on the customer’s
car loan with you.
As discussed in response to several of the questions above, you
should be aware of the possibility that the caller may be attempting
to obtain information about your customer through false or fraudulent
statements to you. Toward this end, you must ensure that you
respond to the caller in accordance with the controls you have
implemented as part of your information security program.
I.9. Q.
During the ordinary course of business, I may request proof of
insurance from a nonaffiliated insurance agency on an automobile
that serves as our collateral on a customer’s loan. May I disclose
customer information to the insurance agency in order to obtain
this information without triggering specific notice and opt out
requirements?
A.
Yes, you may disclose nonpublic personal information, such as
the existence of your relationship with a particular customer,
to a nonaffiliated insurance agency in order to obtain proof
of insurance under the exceptions to the specific notice and
opt out requirements in § ___.14. For example, you could disclose
nonpublic personal information under the exception in § ___.14(b)(1)
as a lawful or appropriate method to enforce your rights in providing
the loan.
I.10. Q.
I make wire transfers for consumers who are not otherwise my
customers. Do I have to provide an initial privacy notice to
these consumers when I only make a wire transfer for them?
A.
No. Processing a wire transfer for a consumer on a one-time
basis would not create a customer relationship, even if the consumer
repeatedly requests that one-time service. Accordingly, you
do not owe the consumer an initial notice on that basis. Furthermore,
this disclosure would fall under the exception for processing
a transaction that a consumer has requested or authorized. § ___.14(a)(1). Consequently, you would not be required to provide any privacy
notices unless you also disclosed nonpublic personal information
about the consumer to nonaffiliated third parties outside of
an exception under § ___.14 or § ___.15. See § ___.4(a)(2).
I.11. Q.
I use a nonaffiliated third party to service consumer loans,
and in this arrangement I disclose to the servicer nonpublic
personal information about my borrowers. This arrangement seems
to qualify for an exception from both the notice and opt out
requirements, under § ___.14(a)(1). At the same time, this arrangement
seems to qualify for an exception from opt out requirements—but
not from notice requirements—under § ___.13(a)(1). The latter exception requires me to provide notice to consumers
of the disclosures, and requires language in our contract that
restricts the servicer’s
further disclosure
and use of the nonpublic personal information. When a servicing
arrangement qualifies for two differing exceptions, which applies?
A.
When a disclosure qualifies for both the § ___.13 exception and
a § ___.14 or § ___.15 exception, you do not need to comply with the notice and confidentiality
provisions under § ___.13. Instead, you may make that disclosure
solely in accordance with an exception under § ___.14 or § ___.15.
I.12. Q.
A community bank has an agreement with a mortgage company to
prequalify mortgage loan applicants prior to referring them to
the mortgage company for underwriting. As part of this agreement,
the community bank, among other things, (1) educates applicants
about home buying and about different types of loan products
available; (2) collects financial information and related documents;
(3) assists the applicant in understanding and resolving credit
problems; and (4) maintains regular contact with the applicant
during the loan process to apprise the applicant of the status
of the application.
The community bank forwards the completed loan application to
the mortgage company for underwriting, origination and servicing.
After the loan is approved, the community bank has no further
contact with the applicant with respect to the applicant’s loan.
Does the bank have to provide an initial privacy notice to the
applicant? If so, does the bank have to disclose this information
sharing arrangement in its privacy notice, or is it covered by
an exception in § ___.14 or § ___.15?
A.
If the bank does not already have a customer relationship with
the loan applicant, the services that the bank performs pursuant
to this program appear to give rise to a customer relationship
between the applicant and the bank as described in § ___.3(i)(2)(i)(F), at least until the applicant has completed the loan process.
As a result, the bank would have to provide an initial privacy
notice. Whether the bank must disclose the information sharing
arrangement with the mortgage company in its privacy notice depends
on whether the disclosure is permitted under one of the exceptions
in §§ ___.13, ___.14, or ___.15.
If the bank and the mortgage company have an agreement to jointly
offer, endorse, or sponsor the mortgage company’s loan product
as described in § ___.13 and otherwise comply with the confidentiality requirements of this section,
the bank would have to describe this arrangement in its privacy
notice in accordance with § ___.6(a)(5).
Where the bank discloses to the applicant that the mortgage loan
will be made by the mortgage company and not the bank, the bank’s
disclosure of the applicant’s nonpublic personal information
to the mortgage company would fall within the exception in § ___.14(a)(1), to service or process a financial product the consumer has requested.
The bank would not have to specifically describe this information
sharing arrangement in its privacy notice as long as the notice
states that the bank makes disclosures to nonaffiliated third
parties “as permitted by law.” § ___.6(b)
Finally, the bank could obtain the applicant’s specific consent
to disclose the applicant’s nonpublic personal information to
the mortgage company so the applicant may obtain the loan. In
that event, the disclosure would fall within the exception in
§ ___.15(a)(1). The bank’s privacy notice may refer to this disclosure as “permitted
by law.” § ___.6(b).
Where the disclosure of information may be made pursuant to an
exception under both § ___.13 and either § ___.14 or § ___.15, the bank may rely on the latter exceptions, and therefore would not have
to specifically describe in its privacy notice its disclosure
arrangements under § ___.6(a)(5).
The mortgage company also will establish a customer relationship
with any applicant for whom it originates a loan, and will have
to provide a notice of its privacy policies not later than when
it establishes the customer relationship.
J. Complying
with the exception to the opt out provisions for joint marketing
arrangements
J.1. Q.
I disclose my consumer borrowers’ names and addresses to a nonaffiliated
insurance company. The insurance company sends the borrowers
a letter, on my letterhead, offering insurance. I do not sell
insurance. Does this arrangement qualify for the § ___.13 joint marketing agreement exception? Must the products described in the
marketing materials be our products?
A. The exception
to the opt out requirement in § ___.13 applies to disclosures
you make to nonaffiliated third parties pursuant to a joint written
agreement between you and one or more financial institutions
under which you and the other financial institution(s) jointly
offer, endorse, or sponsor a financial product or service. You
may disclose your consumer borrowers’ names and addresses to
the insurance company under § ___.13 because (i) the insurance company is a financial institution, (ii) insurance is a financial
product or service, and (iii) you and the insurance company market
the insurance together. The financial product you offer, sponsor
or endorse under a joint agreement with another financial institution
need not be your product.
You and the insurance company must have a written agreement that
restricts the insurance company from disclosing or using the
borrowers’ nonpublic personal information for any purpose other
than selling insurance to the borrowers. Furthermore, you must
describe this type of arrangement in your privacy notice in accordance
with § ___.6(a)(5).
J.2. Q.
I disclose my consumer borrowers’ names and addresses to a nonaffiliated
retail merchant that sells household goods, hardware, and clothing.
The retail merchant wants to send notices, on my letterhead,
offering household products. Would this arrangement qualify
for the § ___.13 joint marketing agreement exception?
A.
No. To qualify for the § ___.13 exception, a joint marketing arrangement must be an agreement between
financial institutions for offering, endorsing, or sponsoring
financial products or services.
J.3. Q.
Each month I mail account statements to my customers. May I
include marketing materials for a third party vendor’s products
in my mailings to my customers? I do not have a joint marketing
agreement under § ___.13 with the vendor.
A.
Yes. However, you must be careful not to facilitate your customer’s
unwitting disclosure of his or her nonpublic personal information
to the vendor by virtue of a response to the marketing materials.
For example, the vendor may have printed a reference code on
its marketing materials that indicates that the offer for that
product was sent to your customers who share certain financial
characteristics. From this code, the vendor would be able to
determine that the individual who responds to the marketing materials
that you delivered is your customer or holds certain kinds of
assets. In that case, you would have disclosed nonpublic personal
information about the customer to the vendor.
To comply
with the Privacy Rule under these circumstances, you must either
describe these types of marketing arrangements in your initial,
annual, or revised privacy notice and provide your customer with
a reasonable opportunity to opt out or obtain your customer’s
specific consent to such arrangements. Alternatively, you may
structure the marketing materials so your customer knows that
by responding he or she would be disclosing certain categories
of nonpublic personal information about himself or herself.
J.4. Q.
I am a bank. I have a financial advisory center on my premises
that is operated by people employed both by me and by an insurance
company. The shared employees do not sell bank products. They
sell insurance products and services offered by the insurance
company pursuant to a third-party arrangement. We provide the
employees with information about our customers so that they may
solicit our customers on behalf of the insurance company. Do
we have to provide our customers with an opportunity to opt out
of these disclosures?
A.
You must provide a reasonable opportunity for your customers
to opt out of any disclosure of their nonpublic personal information
to a nonaffiliated third party unless one of the exceptions applies.
Although a dual employee himself or herself is not a “nonaffiliated
third party,” providing customer information to a dual employee
for purposes of marketing the insurance company’s products and
services to your customers is deemed to be providing the information
directly to the insurance company. Because the insurance company
is a nonaffiliated third party, you must provide your customers
a reasonable opportunity to opt out of disclosure of their nonpublic
personal information prior to disclosing such information to
the dual employees unless the disclosure is covered by an exception.
The exception at § ___.13 specifically permits you to disclose
nonpublic personal information about your customer to the nonaffiliated
insurance company without providing the customer an opportunity
to opt out if three requirements are met:
The insurance company
must market financial products or services offered under a joint
agreement between you and the insurance company. The joint agreement
must be a written agreement under which you and the insurance
company “jointly offer, endorse, or sponsor” a financial product
or service. Simply agreeing to share customer information with
the insurance company would not satisfy this contractual requirement.
Rather, your agreement with the insurance company must provide
for the joint offering, endorsement, or sponsorship of the financial
product or service. For example, a third-party agreement that
provides the insurance company will use your name in its marketing
materials or offer insurance products and services on your premises
would demonstrate that you are jointly offering, endorsing, or
sponsoring the products or services with the insurance company;
You must have provided
your customers with an initial privacy notice, including a separate
statement describing your joint marketing that satisfies § ___.6(a)(5);
and
You must have a
written contract that restricts the insurance company from disclosing
or using your customer’s nonpublic personal information for any
purpose other than to offer insurance products and services to
those customers.
In addition
to the foregoing requirements, the prohibition against disclosing
a consumer’s account number for use in telemarketing, direct
mail marketing, or other marketing through electronic mail, as
set forth in § ___.12, applies to your arrangement with the insurance company.
J.5. Q.
Must I have a confidentiality and security clause in all my contracts
with service providers who have access to customer information?
A.
Both the privacy regulations and the banking agencies’ and NCUA’s
security guidelines provide for financial institutions to enter
into contracts with service providers that address customer information
in particular circumstances. The provisions differ, however,
and those differences are as follows:
Under § ___.13 of the Privacy Rule, you may share nonpublic personal information with
a servicer, without providing a consumer with the right to opt
out of this disclosure, if you have a contract with the servicer
that limits the servicer’s ability to further use or disclose this information. The Privacy Rule does not require you to have such a contract clause in place
prior to disclosing information to any servicer —only those servicing
arrangements that fall within § ___.13. If the servicing arrangement is within the scope of the exceptions in
§§ ___.14 and ___.15, you may disclose information to the servicer without a contract
that limits the servicer’s ability to use or disclose nonpublic
personal information. In those instances, the servicer will
be subject to the limits on reuse and redisclosure under § ___.11.
Under III.D.2 of the security guidelines, you should provide
by contract with each of your service providers that has access
to customer information that it undertakes security measures that will protect your customer information. The supplementary materials to the guidelines explain that a service provider
must implement controls that satisfy the objectives of the guidelines,
yet need not have a security program that is identical to the
program that financial institutions themselves must implement
under the guidelines.
There is a different transition rule for each of these contract
clauses. Section ___.18 of the Privacy Rule states that a contract
entered into on or before July 1, 2000, must be brought into
compliance with the provisions of § ___.13 by July 1, 2002. Contracts entered into after July 1, 2000, should have
been brought into compliance by July 1, 2001. The security guidelines
provide that a contract entered into on or before March 5, 2001,
between a bank and service provider should be brought into compliance
with the security guidelines by July 1, 2003. Contracts entered
into after March 5, 2001, should have been brought into compliance by July 1, 2001.