§ 1016.9 - Delivering privacy and opt out notices.


Latest version.
  • § 1016.9 Delivering privacy and opt out notices.

    (a) How to provide notices. You must provide any privacy notices and opt out notices, including short-form initial notices, that this part requires so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically.

    (b)

    (1) Examples of reasonable expectation of actual notice. You may reasonably expect that a consumer will receive actual notice if you:

    (i) Hand-deliver a printed copy of the notice to the consumer;

    (ii) Mail a printed copy of the notice to the last known address of the consumer;

    (iii) For the consumer who conducts transactions electronically:

    (A) In the case of financial institutions other than those described in § 1016.3(l)(3) of this part, post the notice on the electronic site and require the consumer to acknowledge receipt of the notice as a necessary step to obtaining a particular financial product or service; or

    (B) In the case of financial institutions described in § 1016.3(l)(3), clearly and conspicuously post the notice on the electronic site and require the consumer to acknowledge receipt of the notice as a necessary step to obtaining a particular financial product or service;

    (iv) For an isolated transaction with the consumer, such as an ATM transaction, post the notice on the ATM screen and require the consumer to acknowledge receipt of the notice as a necessary step to obtaining the particular financial product or service.

    (2) Examples of unreasonable expectation of actual notice. You may not, however, reasonably expect that a consumer will receive actual notice of your privacy policies and practices if you:

    (i) Only post a sign in your branch or office or generally publish advertisements of your privacy policies and practices; or

    (ii) Send the notice via electronic mail to a consumer who does not obtain a financial product or service from you electronically.

    (c) Annual notices only -

    (1) Reasonable expectation

    . You may reasonably expect that a customer will receive actual notice of your annual privacy notice if:

    (

    i

    1) The customer uses your

    Web site

    website to access financial products and services electronically and agrees to receive notices at the

    Web site

    website, and you post your current privacy notice continuously in a clear and conspicuous manner on the

    Web site

    website; or

    (

    ii

    2) The customer has requested that you refrain from sending any information regarding the customer relationship, and your current privacy notice remains available to the customer upon request.

    (

    2) Alternative method for providing certain annual notices.

    (i) Notwithstanding paragraph (a) of this section, you may use the alternative method described in paragraph (c)(2)(ii) of this section to satisfy the requirement in § 1016.5(a)(1) to provide a notice if:

    (A) You do not disclose the customer's nonpublic personal information to nonaffiliated third parties other than for purposes under §§ 1016.13, 1016.14, and 1016.15;

    (B) You do not include on your annual privacy notice pursuant to § 1016.6(a)(7) an opt out under section 603(

    d)

    (2)(A)(iii) of the Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii));

    (C) The requirements of section 624 of the Fair Credit Reporting Act (15 U.S.C. 1681s-3) and subpart C of part 1022 of this chapter, if applicable, have been satisfied previously or the annual privacy notice is not the only notice provided to satisfy such requirements;

    (D) The information you are required to convey on your annual privacy notice pursuant to § 1016.6(a)(1) through (5), (8), and (9) has not changed since you provided the immediately previous privacy notice (whether initial, annual, or revised) to the customer, other than to eliminate categories of information you disclose or categories of third parties to whom you disclose information; and

    (E) You use the model privacy form in the appendix to this part for your annual privacy notice.

    (ii) For an annual privacy notice that meets the requirements in paragraph (c)(2)(i) of this section, you satisfy the requirement in § 1016.5(a)(1) to provide a notice if you:

    (A) Convey in a clear and conspicuous manner not less than annually on an account statement, coupon book, or a notice or disclosure you are required or expressly and specifically permitted to issue to the customer under any other provision of law that your privacy notice is available on your Web site and will be mailed to the customer upon request by telephone. The statement must state that your privacy notice has not changed and must include a specific Web address that takes the customer directly to the page where the privacy notice is posted and a telephone number for the customer to request that it be mailed;

    (B) Post your current privacy notice continuously and in clear and conspicuous manner on a page of your Web site on which the only content is the privacy notice, without requiring the customer to provide any information such as a login name or password or agree to any conditions to access the page; and

    (C) Mail your current privacy notice to those customers who request it by telephone within ten days of the request.

    (iii) An example of a statement that satisfies paragraph (c)(2)(ii)(A) of this section is as follows with the words “Privacy Notice” in boldface or otherwise emphasized: Privacy Notice - Federal law requires us to tell you how we collect, share, and protect your personal information. Our privacy policy has not changed and you may review our policy and practices with respect to your personal information at [Web address] or we will mail you a free copy upon request if you call us at [telephone number].

    (d) Oral description of notice insufficient. You may not provide any notice required by this part solely by orally explaining the notice, either in person or over the telephone.

    (e) Retention or accessibility of notices for customers.

    (1) For customers only, you must provide the initial notice required by § 1016.4(a)(1), the annual notice required by § 1016.5(a), and the revised notice required by § 1016.8 so that the customer can retain them or obtain them later in writing or, if the customer agrees, electronically.

    (2) Examples of retention or accessibility. You provide a privacy notice to the customer so that the customer can retain it or obtain it later if you:

    (i) Hand-deliver a printed copy of the notice to the customer;

    (ii) Mail a printed copy of the notice to the last known address of the customer, or, in the case of credit unions, mail a printed copy of the notice to the last known address of the customer upon request of the customer; or

    (iii) Make your current privacy notice available on a Web site (or a link to another Web site) for the customer who obtains a financial product or service electronically and agrees to receive the notice at the Web site.

    (f) Joint notice with other financial institutions. You may provide a joint notice from you and one or more of your affiliates or other financial institutions, as identified in the notice, as long as the notice is accurate with respect to you and the other institutions.

    (g) Joint relationships in the case of financial institutions other than credit unions and covered entities subject to FTC enforcement jurisdiction. For purposes of this paragraph (g), “you” is limited to financial institutions other than credit unions and the financial institutions described in § 1016.3(l)(3). If two or more consumers jointly obtain a financial product or service from you, you may satisfy the initial, annual, and revised notice requirements of §§ 1016.4(a), 1016.5(a), and 1016.8(a), respectively, by providing one notice to those consumers jointly.

    (h) Joint relationships in the case of covered entities subject to FTC enforcement jurisdiction. For purposes of this paragraph (h), “you” is limited to the financial institutions described in § 1016.3(l)(3). If two or more consumers jointly obtain a financial product or service from you, you may satisfy the initial, annual, and revised notice requirements of §§ 1016.4(a), 1016.5(a), and 1016.8(a) by providing one notice to those consumers jointly, unless one or more of those consumers requests separate notices.

    (i) Joint relationships in the case of credit unions.

    (1) If two or more consumers jointly obtain a financial product or service, other than a loan, from a credit union, the credit union may satisfy the requirements of § 1016.4(a) by providing one initial notice to those consumers jointly.

    (2) Special rule for loans in the case of credit unions.

    (i) A credit union is required to provide an initial notice to a borrower or guarantor on a loan if the credit union shares his or her nonpublic personal information with nonaffiliated third parties other than for purposes under §§ 1016.13, 1016.14, and 1016.15.

    (ii) A credit union may satisfy the annual notice requirements of § 1016.5 by providing one notice to those borrowers and guarantors jointly.

    [76 FR 79028, Dec. 21, 2011, as amended at 79 FR 64081, Oct. 28, 2014; CFPB-2016-0032, 83 FR 40959, Aug. 17, 2018]