(a) General rule. Except as otherwise authorized in this part, a bank must not, directly or through any affiliate, disclose any nonpublic personal information about a consumer to a nonaffiliated third party other than as described in the initial notice that the bank provided to that consumer under § 40.4, unless:
(1) The bank has provided to the consumer a clear and conspicuous revised notice that accurately describes its policies and practices;
(2) The bank has provided to the consumer a new opt out notice;
(3) The bank has given the consumer a reasonable opportunity, before the bank discloses the information to the nonaffiliated third party, to opt out of the disclosure; and
(4) The consumer does not opt out.
(b) Examples.(1) Except as otherwise permitted by §§ 40.13, 40.14, and 40.15, a bank must provide a revised notice before it:
(i) Discloses a new category of nonpublic personal information to any nonaffiliated third party;
(ii) Discloses nonpublic personal information to a new category of nonaffiliated third party; or
(iii) Disclose nonpublic personal information about a former customer to a nonaffiliated third party, if that former customer has not had the opportunity to exercise an opt out right regarding that disclosure.
(2) A revised notice is not required if the bank discloses nonpublic personal information to a new nonaffiliated third party that the bank adequately described in its prior notice.
(c) Delivery. When a bank is required to deliver a revised privacy notice by this section, the bank must deliver it according to § 40.9.
Title 12 published on 2012-01-01
no entries appear in the Federal Register after this date.
This is a list of United States Code sections, Statutes at Large, Public Laws, and Presidential Documents, which provide rulemaking authority for this CFR Part.