Regulations last checked for updates: Nov 22, 2024

Title 17 - Commodity and Securities Exchanges last revised: Nov 19, 2024
§ 160.10 - Limits on disclosure of nonpublic personal information to nonaffiliated third parties.

(a)(1) Conditions for disclosure. Except as otherwise authorized in this part, you may not, directly or through any affiliate, disclose any nonpublic personal information about a consumer to a nonaffiliated third party unless:

(i) You have provided to the consumer an initial notice as required under § 160.4;

(ii) You have provided to the consumer an opt out notice as required in § 160.7;

(iii) You have given the consumer a reasonable opportunity, before you disclose the information to the nonaffiliated third party, to opt of the disclosure; and

(iv) The consumer does not opt out.

(2) Opt out definition. Opt out means a direction by the consumer that you not disclose nonpublic personal information about that consumer to a nonaffiliated third party, other than as permitted by §§ 160.13, 160.14 and 160.15.

(3) Examples of reasonable opportunity to opt out. You provide a consumer with a reasonable opportunity to opt out if:

(i) By mail. You mail the notices required in paragraph (a)(1) of this section to the consumer and allow the consumer to opt out by mailing a form, calling a toll-free telephone number, or any other reasonable means within 30 days after the date you mailed the notices.

(ii) By electronic means. A customer opens an on-line account with you and agrees to receive the notices required in paragraph (a)(1) of this section electronically, and you allow the customer to opt out by any reasonable means within 30 days after the date that the customer acknowledges receipt of the notices in conjunction with opening the account.

(iii) Isolated transaction with consumer. For an isolated transaction with a consumer, you provide the consumer with a reasonable opportunity to opt out if you provide the notices required in paragraph (a)(1) of this section at the time of the transaction and request that the consumer decide, as a necessary part of the transaction, whether to opt out before completing the transaction.

(b) Application of opt out to all consumers and all nonpublic personal information. (1) You must comply with this section, regardless of whether you and the consumer have established a customer relationship.

(2) Unless you comply with this section, you may not, directly or through any affiliate, disclose any nonpublic personal information about a consumer that you have collected, regardless of whether you have collected it before or after receiving the direction to opt out from the consumer.

(c) Partial opt out. You may allow a consumer to select certain nonpublic personal information or certain nonaffiliated third parties with respect to which the consumer wishes to opt out.

§ 160.11 - Limits on redisclosure and reuse of information.

(a) (1) Information you receive under an exception. If you receive nonpublic personal information from a nonaffiliated financial institution under an exception in § 160.14 or § 160.15, your disclosure and use of that information is limited as follows:

(i) You may disclose the information to the affiliate of the financial institution from which you received the information;

(ii) You may disclose the information to your affiliates, but your affiliates may, in turn, disclose and use the information only to the extent that you may disclose and use the information; and

(iii) You may disclose and use the information pursuant to an exception in § 160.14 or § 160.15 in the ordinary course of business to carry out the activity covered by the exception under which you received the information.

(2) Example. If you receive a customer list from a nonaffiliated financial institution in order to provide account-processing services under the exception in § 160.14(a), you may disclose that information under any exception in § 160.14 or § 160.15 in the ordinary course of business in order to provide those services. For example, you could disclose that information in response to a properly authorized subpoena or in the ordinary course of business to your attorneys, accountants, and auditors. You could not disclose that information to a third party for marketing purposes or use that information for your own marketing purposes.

(b)(1) Information you receive outside of an exception. If you receive nonpublic personal information from a nonaffiliated financial institution other than under an exception in § 160.14 or § 160.15, you may disclose the information only:

(i) To the affiliates of the financial institution from which you received the information;

(ii) To your affiliates, but your affiliates may, in turn, disclose the information only to the extent that you can disclose the information; and

(iii) To any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which you received the information.

(2) Example. If you obtain a customer list from a nonaffiliated financial institution outside of the exceptions in §§ 160.14 and 160.15:

(i) You may use that list for your own purposes;

(ii) You may disclose that list to another nonaffiliated third party only if the financial institution from which you purchased the list could have lawfully disclosed that list to that third party. That is, you may disclose the list in accordance with the privacy policy of the financial institution from which you received the list as limited by the opt out direction of each consumer whose nonpublic personal information you intend to disclose, and you may disclose the list in accordance with an exception in §§ 160.14 and 160.15, such as in the ordinary course of business to your attorneys, accountants, or auditors.

(c) Information you disclose under an exception. If you disclose nonpublic personal information to a nonaffiliated third party under an exception in § 160.14 or § 160.15, the third party may disclose and use that information only as follows:

(1) The third party may disclose the information to your affiliates;

(2) The third party may disclose the information to its affiliates, but its affiliates may, in turn, disclose and use the information only to the extent that the third party may disclose and use the information; and

(3) The third party may disclose and use the information pursuant to an exception in § 160.14 or § 160.15 in the ordinary course of business to carry out the activity covered by the exception under which it received the information.

(d) Information you disclose outside of an exception. If you disclose nonpublic personal information to a nonaffiliated third party other than under an exception in § 160.14 or § 160.15, the third party may disclose the information only:

(1) To your affiliates;

(2) To its affiliates, but its affiliates, in turn, may disclose the information only to the extent the third party can disclose the information; and

(3) To any other person, if the disclosure would be lawful if you made it directly to that person.

§ 160.12 - Limits on sharing account number information for marketing purposes.

(a) General prohibition on disclosure of account numbers. You must not, directly or through an affiliate, disclose, other than to a consumer reporting agency, an account number or similar form of access number or access code for a consumer's credit card account, deposit account or transaction account to any nonaffiliated third party for use in telemarketing, direct mail marketing or other marketing through electronic mail to the consumer.

(b) Exceptions. Paragraph (a) of this section does not apply if you disclose an account number or similar form of access number or access code:

(1) To your agent or service provider solely in order to perform marketing for your own services or products, as long as the agent or service provider is not authorized to directly initiate charges to the account; or

(2) To a participant in a private-label credit card program or an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program.

(c) Example. An account number, or similar form of access number or access code, does not include a number or code in an encrypted form, as long as you do not provide the recipient with a means to decode the number or code.

authority: 7 U.S.C. 7b-2 and 12a(5); 15 U.S.C 6801,
source: 66 FR 21252, Apr. 27, 2001, unless otherwise noted.
cite as: 17 CFR 160.12