12 C.F.R. Subpart B—Limits on Disclosures
Title 12 - Banks and Banking
(a)(1) Conditions for disclosure. Except as otherwise authorized in this part, a bank may not, directly or through any affiliate, disclose any nonpublic personal information about a consumer to a nonaffiliated third party unless: (i) The bank has provided to the consumer an initial notice as required under §40.4; (ii) The bank has provided to the consumer an opt out notice as required in §40.7; (iii) The bank has given the consumer a reasonable opportunity, before it discloses the information to the nonaffiliated third party, to opt out of the disclosure; and (iv) The consumer does not opt out. (2) Opt out definition. Opt out means a direction by the consumer that the bank not disclose nonpublic personal information about that consumer to a nonaffiliated third party, other than as permitted by §§40.13, 40.14, and 40.15. (3) Examples of reasonable opportunity to opt out. A bank provides a consumer with a reasonable opportunity to opt out if: (i) By mail. The bank mails the notices required in paragraph (a)(1) of this section to the consumer and allows the consumer to opt out by mailing a form, calling a toll-free telephone number, or any other reasonable means within 30 days from the date the bank mailed the notices. (ii) By electronic means. A customer opens an on-line account with a bank and agrees to receive the notices required in paragraph (a)(1) of this section electronically, and the bank allows the customer to opt out by any reasonable means within 30 days after the date that the customer acknowledges receipt of the notices in conjunction with opening the account. (iii) Isolated transaction with consumer. For an isolated transaction, such as the purchase of a cashier's check by a consumer, a bank provides the consumer with a reasonable opportunity to opt out if the bank provides the notices required in paragraph (a)(1) of this section at the time of the transaction and requests that the consumer decide, as a necessary part of the transaction, whether to opt out before completing the transaction. (b) Application of opt out to all consumers and all nonpublic personal information. (1) A bank must comply with this section, regardless of whether the bank and the consumer have established a customer relationship. (2) Unless a bank complies with this section, the bank may not, directly or through any affiliate, disclose any nonpublic personal information about a consumer that the bank has collected, regardless of whether the bank collected it before or after receiving the direction to opt out from the consumer. (c) Partial opt out. A bank may allow a consumer to select certain nonpublic personal information or certain nonaffiliated third parties with respect to which the consumer wishes to opt out. (a)(1) Information the bank receives under an exception. If a bank receives nonpublic personal information from a nonaffiliated financial institution under an exception in §§40.14 or 40.15 of this part, the bank's disclosure and use of that information is limited as follows: (i) The bank may disclose the information to the affiliates of the financial institution from which the bank received the information; (ii) The bank may disclose the information to its affiliates, but the bank's affiliates may, in turn, disclose and use the information only to the extent that the bank may disclose and use the information; and (iii) The bank may disclose and use the information pursuant to an exception in §§40.14 or 40.15 in the ordinary course of business to carry out the activity covered by the exception under which the bank received the information. (2) Example. If a bank receives a customer list from a nonaffiliated financial institution in order to provide account processing services under the exception in §40.14(a), the bank may disclose that information under any exception in §§40.14 or 40.15 in the ordinary course of business in order to provide those services. For example, the bank could disclose the information in response to a properly authorized subpoena or to its attorneys, accountants, and auditors. The bank could not disclose that information to a third party for marketing purposes or use that information for its own marketing purposes. (b)(1) Information a bank receives outside of an exception. If a bank receives nonpublic personal information from a nonaffiliated financial institution other than under an exception in §§40.14 or 40.15 of this part, the bank may disclose the information only: (i) To the affiliates of the financial institution from which the bank received the information; (ii) To its affiliates, but its affiliates may, in turn, disclose the information only to the extent that the bank can disclose the information; and (iii) To any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which the bank received the information. (2) Example. If a bank obtains a customer list from a nonaffiliated financial institution outside of the exceptions in §§40.14 and 40.15: (i) The bank may use that list for its own purposes; and (ii) The bank may disclose that list to another nonaffiliated third party only if the financial institution from which the bank purchased the list could have lawfully disclosed the list to that third party. That is, the bank may disclose the list in accordance with the privacy policy of the financial institution from which the bank received the list, as limited by the opt out direction of each consumer whose nonpublic personal information the bank intends to disclose and the bank may disclose the list in accordance with an exception in §§40.14 or 40.15, such as to the bank's attorneys or accountants. (c) Information a bank discloses under an exception. If a bank discloses nonpublic personal information to a nonaffiliated third party under an exception in §§40.14 or 40.15 of this part, the third party may disclose and use that information only as follows: (1) The third party may disclose the information to the bank's affiliates; (2) The third party may disclose the information to its affiliates, but its affiliates may, in turn, disclose and use the information only to the extent that the third party may disclose and use the information; and (3) The third party may disclose and use the information pursuant to an exception in §§40.14 or 40.15 in the ordinary course of business to carry out the activity covered by the exception under which it received the information. (d) Information a bank discloses outside of an exception. If a bank discloses nonpublic personal information to a nonaffiliated third party other than under an exception in §§40.14 or 40.15 of this part, the third party may disclose the information only: (1) To the bank's affiliates; (2) To the third party's affiliates, but the third party's affiliates, in turn, may disclose the information only to the extent the third party can disclose the information; and (3) To any other person, if the disclosure would be lawful if the bank made it directly to that person. (a) General prohibition on disclosure of account numbers. A bank must not, directly or through an affiliate, disclose, other than to a consumer reporting agency, an account number or similar form of access number or access code for a consumer's credit card account, deposit account, or transaction account to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer. (b) Exceptions. Paragraph (a) of this section does not apply if a bank discloses an account number or similar form of access number or access code: (1) To the bank's agent or service provider solely in order to perform marketing for the bank's own products or services, as long as the agent or service provider is not authorized to directly initiate charges to the account; or (2) To a participant in a private label credit card program or an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program. (c) Examples—(1) Account number. An account number, or similar form of access number or access code, does not include a number or code in an encrypted form, as long as the bank does not provide the recipient with a means to decode the number or code. (2) Transaction account. A transaction account is an account other than a deposit account or a credit card account. A transaction account does not include an account to which third parties cannot initiate charges.
Title 12: Banks and Banking
PART 40—PRIVACY OF CONSUMER FINANCIAL INFORMATION
Subpart B—Limits on Disclosures
§ 40.10 Limits on disclosure of non-public personal information to nonaffiliated third parties.
§ 40.11 Limits on redisclosure and reuse of information.
§ 40.12 Limits on sharing account number information for marketing purposes.
