12 CFR 40.10 - Limits on disclosure of non-public personal information to nonaffiliated third parties.
prev | next
(1) Conditions for disclosure. Except as otherwise authorized in this part, a bank may not, directly or through any affiliate, disclose any nonpublic personal information about a consumer to a nonaffiliated third party unless:
(iii) The bank has given the consumer a reasonable opportunity, before it discloses the information to the nonaffiliated third party, to opt out of the disclosure; and
(iv) The consumer does not opt out.
(2) Opt out definition. Opt out means a direction by the consumer that the bank not disclose nonpublic personal information about that consumer to a nonaffiliated third party, other than as permitted by §§ 40.13, 40.14, and 40.15.
(3) Examples of reasonable opportunity to opt out. A bank provides a consumer with a reasonable opportunity to opt out if:
(i) By mail. The bank mails the notices required in paragraph (a)(1) of this section to the consumer and allows the consumer to opt out by mailing a form, calling a toll-free telephone number, or any other reasonable means within 30 days from the date the bank mailed the notices.
(ii) By electronic means. A customer opens an on-line account with a bank and agrees to receive the notices required in paragraph (a)(1) of this section electronically, and the bank allows the customer to opt out by any reasonable means within 30 days after the date that the customer acknowledges receipt of the notices in conjunction with opening the account.
(iii) Isolated transaction with consumer. For an isolated transaction, such as the purchase of a cashier's check by a consumer, a bank provides the consumer with a reasonable opportunity to opt out if the bank provides the notices required in paragraph (a)(1) of this section at the time of the transaction and requests that the consumer decide, as a necessary part of the transaction, whether to opt out before completing the transaction.
(b) Application of opt out to all consumers and all nonpublic personal information. (1) A bank must comply with this section, regardless of whether the bank and the consumer have established a customer relationship.
(2) Unless a bank complies with this section, the bank may not, directly or through any affiliate, disclose any nonpublic personal information about a consumer that the bank has collected, regardless of whether the bank collected it before or after receiving the direction to opt out from the consumer.
Beta! The text on the eCFR tab represents the unofficial eCFR text at ecfr.gov.
This section’s status may have changed. It may have been renumbered, reserved, or removed.