Code of Federal Regulations (Last Updated: November 8, 2024) |
Title 12 - Banks and Banking |
Chapter I - Comptroller of the Currency, Department of the Treasury |
Part 40 - PRIVACY OF CONSUMER FINANCIAL INFORMATION |
Subpart A - Privacy and Opt Out Notices |
§ 40.6 - Information to be included in privacy notices.
-
(a) General rule. The initial, annual, and revised privacy notices that a bank provides under §§40.4, 40.5, and 40.8 must include each of the following items of information, in addition to any other information the bank wishes to provide, that applies to the bank and to the consumers to whom the bank sends its privacy notice:
(1) The categories of nonpublic personal information that the bank collects;
(2) The categories of nonpublic personal information that the bank discloses;
(3) The categories of affiliates and nonaffiliated third parties to whom the bank discloses nonpublic personal information, other than those parties to whom the bank discloses information under §§40.14 and 40.15;
(4) The categories of nonpublic personal information about the bank's former customers that the bank discloses and the categories of affiliates and nonaffiliated third parties to whom the bank discloses nonpublic personal information about the bank's former customers, other than those parties to whom the bank discloses information under §§40.14 and 40.15;
(5) If a bank discloses nonpublic personal information to a nonaffiliated third party under §40.13 (and no other exception in §§40.14 or 40.15 applies to that disclosure), a separate statement of the categories of information the bank discloses and the categories of third parties with whom the bank has contracted;
(6) An explanation of the consumer's right under §40.10(a) to opt out of the disclosure of nonpublic personal information to nonaffiliated third parties, including the method(s) by which the consumer may exercise that right at that time;
(7) Any disclosures that the bank makes under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)) (that is, notices regarding the ability to opt out of disclosures of information among affiliates);
(8) The bank's policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; and
(9) Any disclosure that the bank makes under paragraph (b) of this section.
(b) Description of nonaffiliated third parties subject to exceptions. If you disclose nonpublic personal information to third parties as authorized under §§40.14 and 40.15, you are not required to list those exceptions in the initial or annual privacy notices required by §§40.4 and 40.5. When describing the categories with respect to those parties, it is sufficient to state that you make disclosures to other nonaffiliated companies:
(1) For your everyday business purposes, such as [include all that apply] to process transactions, maintain account(s), respond to court orders and legal investigations, or report to credit bureaus; or
(2) As permitted by law.
(c) Examples—(1) Categories of nonpublic personal information that the bank collects. A bank satisfies the requirement to categorize the nonpublic personal information that it collects if it lists the following categories, as applicable:
(i) Information from the consumer;
(ii) Information about the consumer's transactions with the bank or its affiliates;
(iii) Information about the consumer's transactions with nonaffiliated third parties; and
(iv) Information from a consumer reporting agency.
(2) Categories of nonpublic personal information the bank discloses. (i) A bank satisfies the requirement to categorize the nonpublic personal information that it discloses if the bank lists the categories described in paragraph (e)(1) of this section, as applicable, and a few examples to illustrate the types of information in each category.
(ii) If a bank reserves the right to disclose all of the nonpublic personal information about consumers that it collects, it may simply state that fact without describing the categories or examples of the nonpublic personal information it discloses.
(3) Categories of affiliates and nonaffiliated third parties to whom the bank discloses. A bank satisfies the requirement to categorize the affiliates and nonaffiliated third parties to whom it discloses nonpublic personal information if the bank lists the following categories, as applicable, and a few examples to illustrate the types of third parties in each category:
(i) Financial service providers;
(ii) Non-financial companies; and
(iii) Others.
(4) Disclosures under exception for service providers and joint marketers. If a bank discloses nonpublic personal information under the exception in §40.13 to a nonaffiliated third party to market products or services that it offers alone or jointly with another financial institution, the bank satisfies the disclosure requirement of paragraph (a)(5) of this section if it:
(i) Lists the categories of nonpublic personal information it discloses, using the same categories and examples the bank used to meet the requirements of paragraph (a)(2) of this section, as applicable; and
(ii) States whether the third party is:
(A) A service provider that performs marketing services on the bank's behalf or on behalf of the bank and another financial institution; or
(B) A financial institution with whom the bank has a joint marketing agreement.
(5) Simplified notices. If a bank does not disclose, and does not wish to reserve the right to disclose, nonpublic personal information about customers or former customers to affiliates or nonaffiliated third parties except as authorized under §§40.14 and 40.15, the bank may simply state that fact, in addition to the information it must provide under paragraphs (a)(1), (a)(8), (a)(9), and (b) of this section.
(6) Confidentiality and security. A bank describes its policies and practices with respect to protecting the confidentiality and security of nonpublic personal information if it does both of the following:
(i) Describes in general terms who is authorized to have access to the information; and
(ii) States whether the bank has security practices and procedures in place to ensure the confidentiality of the information in accordance with the bank's policy. The bank is not required to describe technical information about the safeguards it uses.
(d) Short-form initial notice with opt out notice for non-customers. (1) A bank may satisfy the initial notice requirements in §§40.4(a)(2), 40.7(b), and 40.7(c) for a consumer who is not a customer by providing a short-form initial notice at the same time as the bank delivers an opt out notice as required in §40.7.
(2) A short-form initial notice must:
(i) Be clear and conspicuous;
(ii) State that the bank's privacy notice is available upon request; and
(iii) Explain a reasonable means by which the consumer may obtain that notice.
(3) The bank must deliver its short-form initial notice according to §40.9. The bank is not required to deliver its privacy notice with its short-form initial notice. The bank instead may simply provide the consumer a reasonable means to obtain its privacy notice. If a consumer who receives the bank's short-form notice requests the bank's privacy notice, the bank must deliver its privacy notice according to §40.9.
(4) Examples of obtaining privacy notice. The bank provides a reasonable means by which a consumer may obtain a copy of its privacy notice if the bank:
(i) Provides a toll-free telephone number that the consumer may call to request the notice; or
(ii) For a consumer who conducts business in person at the bank's office, maintain copies of the notice on hand that the bank provides to the consumer immediately upon request.
(e) Future disclosures. The bank's notice may include:
(1) Categories of nonpublic personal information that the bank reserves the right to disclose in the future, but do not currently disclose; and
(2) Categories of affiliates or nonaffiliated third parties to whom the bank reserves the right in the future to disclose, but to whom the bank does not currently disclose, nonpublic personal information.
(f) Model privacy form. Pursuant to §40.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in appendix A of this part.
[65 FR 35196, June 1, 2000, as amended at 74 FR 62916, Dec. 1, 2009]