12 CFR 40.9 - Delivering privacy and opt out notices.
prev | next
(a) How to provide notices. A bank must provide any privacy notices and opt out notices, including short-form initial notices, that this part requires so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically.
(b) (1) Examples of reasonable expectation of actual notice. A bank may reasonably expect that a consumer will receive actual notice if the bank:
(i) Hand-delivers a printed copy of the notice to the consumer;
(ii) Mails a printed copy of the notice to the last known address of the consumer;
(iii) For the consumer who conducts transactions electronically, posts the notice on the electronic site and requires the consumer to acknowledge receipt of the notice as a necessary step to obtaining a particular financial product or service;
(iv) For an isolated transaction with the consumer, such as an ATM transaction, posts the notice on the ATM screen and requires the consumer to acknowledge receipt of the notice as a necessary step to obtaining the particular financial product or service.
(2) Examples of unreasonable expectation of actual notice. A bank may not, however, reasonably expect that a consumer will receive actual notice of its privacy policies and practices if it:
(i) Only posts a sign in its branch or office or generally publish advertisements of its privacy policies and practices;
(ii) Sends the notice via electronic mail to a consumer who does not obtain a financial product or service from the bank electronically.
(c) Annual notices only. A bank may reasonably expect that a customer will receive actual notice of the bank's annual privacy notice if:
(1) The customer uses the bank's web site to access financial products and services electronically and agrees to receive notices at the web site and the bank posts its current privacy notice continuously in a clear and conspicuous manner on the web site; or
(2) The customer has requested that the bank refrain from sending any information regarding the customer relationship, and the bank's current privacy notice remains available to the customer upon request.
(d) Oral description of notice insufficient. A bank may not provide any notice required by this part solely by orally explaining the notice, either in person or over the telephone.
(e) Retention or accessibility of notices for customers. (1) For customers only, a bank must provide the initial notice required by § 40.4(a)(1), the annual notice required by § 40.5(a), and the revised notice required by § 40.8 so that the customer can retain them or obtain them later in writing or, if the customer agrees, electronically.
(2) Examples of retention or accessibility. A bank provides a privacy notice to the customer so that the customer can retain it or obtain it later if the bank:
(i) Hand-delivers a printed copy of the notice to the customer;
(ii) Mails a printed copy of the notice to the last known address of the customer; or
(iii) Makes its current privacy notice available on a web site (or a link to another web site) for the customer who obtains a financial product or service electronically and agrees to receive the notice at the web site.
(f) Joint notice with other financial institutions. A bank may provide a joint notice from it and one or more of its affiliates or other financial institutions, as identified in the notice, as long as the notice is accurate with respect to the bank and the other institutions.
Beta! The text on the eCFR tab represents the unofficial eCFR text at ecfr.gov.
This section’s status may have changed. It may have been renumbered, reserved, or removed.