§ 40.8 - Revised privacy notices.  

(a) General rule. Except as otherwise authorized in this part, a bank must not, directly or through any affiliate, disclose any nonpublic personal information about a consumer to a nonaffiliated third party other than as described in the initial notice that the bank provided to that consumer under §40.4, unless:

(1) The bank has provided to the consumer a clear and conspicuous revised notice that accurately describes its policies and practices;

(2) The bank has provided to the consumer a new opt out notice;

(3) The bank has given the consumer a reasonable opportunity, before the bank discloses the information to the nonaffiliated third party, to opt out of the disclosure; and

(4) The consumer does not opt out.

(b) Examples. (1) Except as otherwise permitted by §§40.13, 40.14, and 40.15, a bank must provide a revised notice before it:

(i) Discloses a new category of nonpublic personal information to any nonaffiliated third party;

(ii) Discloses nonpublic personal information to a new category of nonaffiliated third party; or

(iii) Disclose nonpublic personal information about a former customer to a nonaffiliated third party, if that former customer has not had the opportunity to exercise an opt out right regarding that disclosure.

(2) A revised notice is not required if the bank discloses nonpublic personal information to a new nonaffiliated third party that the bank adequately described in its prior notice.

(c) Delivery. When a bank is required to deliver a revised privacy notice by this section, the bank must deliver it according to §40.9.