17 CFR § 160.5 - Annual privacy notice to customers required.

§ 160.5 Annual privacy notice to customers required.

(a)

(1) General rule. Except as provided by paragraph (d) of this section, you must provide a clear and conspicuous notice to customers that accurately reflects your privacy policies and practices not less than annually during the life of the customer relationship. Annually means at least once in any period of 12 consecutive months during which that relationship exists. You may define the 12-consecutive-month period, but you must apply it to the customer on a consistent basis.

(2) Example. You provide notice annually if you define the 12-consecutive-month period as a calendar year and provide the annual notice to the customer once in each calendar year following the calendar year in which you provided the initial notice. For example, if a customer opens an account on any day of year 1, you must provide an annual notice to that customer by December 31 of year 2.

(b)

(1) Termination of customer relationship. You are not required to provide an annual notice to a former customer.

(2) Examples. Your customer becomes a former customer when:

(i) The individual's commodity interest account is closed;

(ii) The individual's advisory contract or subscription is terminated or expires; or

(iii) The individual has redeemed all of his or her units in your pool.

(c) Delivery of notice. When you are required by this section to deliver an annual privacy notice, you must deliver it in the manner provided by § 160.9.

(d) Exception to annual privacy notice requirement.

(1) You are not required to deliver an annual privacy notice if you:

(i) Provide nonpublic personal information to nonaffiliated third parties only in accordance with the provisions of §§ 160.13, 160.14, and 160.15 and any other exceptions adopted by the Commission pursuant to section 504(b) of the GLB Act; and

(ii) Have not changed your policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed to the customer under § 160.6(a)(2) through (5) and § 160.6(a)(9) in the most recent privacy notice sent to the customer pursuant to this part.

(2) Delivery of annual privacy notice after you no longer meet requirements for exception. If you have been excepted from delivering an annual privacy notice pursuant to paragraph (d)(1) of this section and change your policies or practices in such a way that you no longer meet the requirements for that exception, you must comply with paragraph (d)(2)(i) or (ii) of this section, as applicable.

(i) Changes preceded by a revised privacy notice. If you no longer meet the requirements of paragraph (d)(1) of this section because you change your policies or practices in such a way that § 160.8 of this part requires you to provide a revised privacy notice, you must provide an annual privacy notice in accordance with the timing requirements in paragraph (a) of this section, treating the revised privacy notice as an initial privacy notice.

(ii) Changes not preceded by a revised privacy notice. If you no longer meet the requirements of paragraph (d)(1) of this section because you change your policies or practices in such a way that § 160.8 of this part does not require you to provide a revised privacy notice, you must provide an annual privacy notice within 100 days of the change in your policies or practices that causes you to no longer meet the requirements of paragraph (d)(1) of this section.

[66 FR 21252, Apr. 27, 2001, as amended at 84 FR 17345, Apr. 25, 2019]

The following state regulations pages link to this page.