Or. Admin. Code § 836-080-0640 - Information to Be Included in Initial Privacy Notice

(1) This rule implements the requirement of the initial notice under OAR 836-080-0620, describes the contents of the initial notice and provides examples of categories of information required in the notice.

(2) The following are examples of categories of nonpublic personal financial information collected by a licensee. A licensee satisfies the requirement of categorizing the nonpublic personal financial information it collects if the licensee categorizes it according to the source of the information, including, for example:

(a) Information from the consumer;

(b) Information about the consumer's transactions with the licensee or its affiliates;

(c) Information about the consumer's transactions with nonaffiliated third parties; and

(d) Information from an insurance support organization.

(3) The following are examples of categories of nonpublic personal financial information disclosed by a licensee:

(a) A licensee satisfies the requirement of categorizing nonpublic personal financial information it discloses if the licensee categorizes the information according to source, as described in section (2) of this rule, as applicable, and provides a few examples to illustrate the types of information in each category. These may include:

(A) Information from the consumer, including application information such as assets and income and identifying information such as name, address and social security number;

(B) Transaction information, such as information about balances, payment history and parties to the transaction; and

(C) Information from consumer reporting agencies, such as a consumer's creditworthiness and credit history.

(b) A licensee does not adequately categorize the information that it discloses if the licensee uses only general terms, such as transaction information about the consumer.

(c) If a licensee reserves the right to disclose all of the nonpublic personal financial information about consumers that it collects, the licensee may simply state that fact without describing the categories or examples of nonpublic personal financial information that the licensee discloses.

(4) The following are examples for describing categories of affiliated and nonaffiliated third parties to which a licensee discloses nonpublic personal financial information:

(a) A licensee satisfies the requirement of categorizing the affiliates and nonaffiliated third parties to which the licensee discloses nonpublic personal financial information about consumers if the licensee identifies the types of business in which the affiliates and nonaffiliated third parties engage.

(b) Types of businesses may be described by general terms only if the licensee uses a few illustrative examples of significant lines of business. For example, a licensee may use the term financial products or services if it includes appropriate examples of significant lines of businesses, such as life insurer, automobile insurer, consumer banking or securities brokerage.

(c) A licensee may also categorize the affiliates and nonaffiliated third parties to which it discloses nonpublic personal financial information about consumers using more detailed categories.

(5) A privacy notice shall include an explanation of the consumer's right under OAR 836-080-0675 to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties, including the method by which the consumer may exercise that right at that time. The following are examples of disclosures under the exception for joint marketers under 836-080-0675. If a licensee discloses nonpublic personal financial information under the exception in 836-080-0675 to a nonaffiliated third party to market products or services that it offers alone or jointly with another financial institution, the licensee satisfies the applicable disclosure requirement of this rule if the licensee:

(a) Lists the categories of nonpublic personal financial information it discloses, using the same categories and examples the licensee used to meet the requirements of section (1) of this rule.

(b) States whether the third party is:

(A) A service provider that performs marketing services on the licensee's behalf or on behalf of the licensee and another financial institution; or

(B) A financial institution with whom the licensee has a joint marketing agreement.

(6) If a licensee does not disclose nonpublic personal financial information about customers or former customers to affiliates or nonaffiliated third parties except as authorized under OAR 836-080-0670 and 836-080-0675, the licensee may simply state that fact, in addition to the information it is required to provide under 836-080-0615(3) (a), (h), (i) and (j) and (4).

(7) A licensee describes its policies and practices relating to protection of the confidentiality and security of personal information if it does both of the following:

(a) Describes in general terms who is authorized to have access to the information; and

(b) States whether the licensee has security practices and procedures in place to ensure the confidentiality of the information in accordance with the licensee's policy. The licensee is not required to describe technical information about the safeguards it uses.

(8) An abbreviated notice authorized by OAR 836-080-0615(3) must include in full the elements of the notice required by the federal Gramm-Leach-Bliley Act of 1999 for the purpose of compliance with that law and shall also include the information referred to in section (5) of this rule and in 836-080-0615(3). The licensee shall deliver its abbreviated notice according to 836-080-0660. The licensee is not required to deliver its privacy notice with its abbreviated notice. The licensee instead may provide the consumer a reasonable means to obtain its privacy notice as described in 836-080-0660. If a consumer who receives the licensee's abbreviated notice requests the licensee's privacy notice, the licensee shall deliver its privacy notice according to 836-080-0660.

(9) A licensee's initial privacy notice may include any of the following:

(a) Categories of nonpublic personal financial information that the licensee reserves the right to disclose in the future but does not currently disclose; and

(b) Categories of affiliates or nonaffiliated third parties to whom the licensee reserves the right in the future to disclose, but to whom the licensee does not currently disclose, nonpublic personal financial information.

Notes

Or. Admin. Code § 836-080-0640

ID 4-2005, f. & cert. ef. 4-1-05

Stat. Auth.: ORS 731.244 & 746.608

Stats. Implemented: ORS 746.600 & 746.607