12 CFR 40.7 - Form of opt out notice to consumers; opt out methods.
(a) (1) Form of opt out notice. If a bank is required to provide an opt out notice under § 40.10(a), it must provide a clear and conspicuous notice to each of its consumers that accurately explains the right to opt out under that section. The notice must state:
(i) That the bank discloses or reserves the right to disclose nonpublic personal information about its consumer to a nonaffiliated third party;
(ii) That the consumer has the right to opt out of that disclosure; and
(iii) A reasonable means by which the consumer may exercise the opt out right.
(2) Examples. (i) Adequate opt out notice. A bank provides adequate notice that the consumer can opt out of the disclosure of nonpublic personal information to a nonaffiliated third party if the bank:
(A) Identifies all of the categories of nonpublic personal information that it discloses or reserves the right to disclose, and all of the categories of nonaffiliated third parties to which the bank discloses the information, as described in § 40.6(a)(2) and (3), and states that the consumer can opt out of the disclosure of that information; and
(B) Identifies the financial products or services that the consumer obtains from the bank, either singly or jointly, to which the opt out direction would apply.
(ii) Reasonable opt out means. A bank provides a reasonable means to exercise an opt out right if it:
(A) Designates check-off boxes in a prominent position on the relevant forms with the opt out notice;
(C) Provides an electronic means to opt out, such as a form that can be sent via electronic mail or a process at the bank's web site, if the consumer agrees to the electronic delivery of information; or
(A) The only means of opting out is for the consumer to write his or her own letter to exercise that opt out right; or
(B) The only means of opting out as described in any notice subsequent to the initial notice is to use a check-off box that the bank provided with the initial notice but did not include with the subsequent notice.
(iv) Specific opt out means. A bank may require each consumer to opt out through a specific means, as long as that means is reasonable for that consumer.
(b) Same form as initial notice permitted. A bank may provide the opt out notice together with or on the same written or electronic form as the initial notice the bank provides in accordance with § 40.4.
(c) Initial notice required when opt out notice delivered subsequent to initial notice. If a bank provides the opt out notice later than required for the initial notice in accordance with § 40.4, the bank must also include a copy of the initial notice with the opt out notice in writing or, if the consumer agrees, electronically.
(d) Joint relationships. (1) If two or more consumers jointly obtain a financial product or service from a bank, the bank may provide a single opt out notice. The bank's opt out notice must explain how the bank will treat an opt out direction by a joint consumer (as explained in paragraph (d)(5) of this section).
(i) Treat an opt out direction by a joint consumer as applying to all of the associated joint consumers; or
(ii) Permit each joint consumer to opt out separately.
(3) If a bank permits each joint consumer to opt out separately, the bank must permit one of the joint consumers to opt out on behalf of all of the joint consumers.
(4) A bank may not require all joint consumers to opt out before it implements any opt out direction.
(5) Example. If John and Mary have a joint checking account with a bank and arranges for the bank to send statements to John's address, the bank may do any of the following, but it must explain in its opt out notice which opt out policy the bank will follow:
(i) Send a single opt out notice to John's address, but the bank must accept an opt out direction from either John or Mary.
(ii) Treat an opt out direction by either John or Mary as applying to the entire account. If the bank does so and John opts out, the bank may not require Mary to opt out as well before implementing John's opt out direction.
(B) If both opt out, the bank must permit both of them to notify it in a single response (such as on a form or through a telephone call); and
(C) If John opts out and Mary does not, the bank may only disclose nonpublic personal information about Mary, but not about John and not about John and Mary jointly.
(e) Time to comply with opt out. A bank must comply with a consumer's opt out direction as soon as reasonably practicable after the bank receives it.
(f) Continuing right to opt out. A consumer may exercise the right to opt out at any time.
(g) Duration of consumer's opt out direction. (1) A consumer's direction to opt out under this section is effective until the consumer revokes it in writing or, if the consumer agrees, electronically.
(2) When a customer relationship terminates, the customer's opt out direction continues to apply to the nonpublic personal information that the bank collected during or related to that relationship. If the individual subsequently establishes a new customer relationship with the bank, the opt out direction that applied to the former relationship does not apply to the new relationship.
(h) Delivery. When a bank is required to deliver an opt out notice by this section, the bank must deliver it according to § 40.9.
(i) Model privacy form. Pursuant to § 40.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in appendix A of this part.
Beta! The text on the eCFR tab represents the unofficial eCFR text at ecfr.gov.
This section’s status may have changed. It may have been renumbered, reserved, or removed.