31 Pa. Code § 146a.13 - Information to be included in privacy notices

(a) General rule. The initial, annual and revised privacy notices that a licensee provides under §§ 146a.11, 146a.12 and 146a.15 (relating to initial privacy notice to consumers required; annual privacy notice to customers required; and revised privacy notices) shall include all of the following items of information, in addition to other information the licensee wishes to provide, that applies to the licensee and to the consumers to whom the licensee sends its privacy notice:
(1) The categories of nonpublic personal financial information that the licensee collects.
(2) The categories of nonpublic personal financial information that the licensee discloses.
(3) The categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information, other than those parties to whom the licensee discloses information under §§ 146a.32 and 146a.33 (relating to exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information for processing and servicing transactions; and other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information).
(4) The categories of nonpublic personal financial information about the licensee's former customers that the licensee discloses and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information about the licensee's former customers, other than those parties to whom the licensee discloses information under §§ 146a.32 and 146a.33.
(5) If a licensee discloses nonpublic personal financial information to a nonaffiliated third party under § 146a.31 (relating to exception to opt out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing) (and no other exception in §§ 146a.32 and 146a.33 applies to that disclosure), a separate description of the categories of information the licensee discloses and the categories of nonaffiliated third parties with whom the licensee has contracted.
(6) An explanation of the consumer's right under § 146a.21(a) (relating to limitation on disclosure of nonpublic personal financial information to nonaffiliated third parties) to opt out of the disclosure of nonpublic personal financial information to any nonaffiliated third parties, including the methods by which the consumer may exercise that right at that time.
(7) Any disclosures that the licensee makes under section 603(d)(2)(A)(iii) of the Federal Fair Credit Reporting Act (15 U.S.C.A. § 1681a(d)(2)(A)(iii)).
(8) The licensee's policies and practices with respect to protecting the confidentiality and security of nonpublic personal financial information.
(9) Any disclosure that the licensee makes under subsection (b).
(b) Description of parties subject to exceptions. If a licensee discloses nonpublic personal financial information as authorized under §§ 146a.32 and 146a.33, the licensee is not required to list those exceptions in the initial or annual privacy notices required by §§ 146a.11 and 146a.12. When describing the categories of parties to whom disclosure is made, the licensee is required to state only that it makes disclosures to other affiliated or nonaffiliated third parties, as applicable, as permitted by law.
(c) Examples.
(1) Categories of nonpublic personal financial information that the licensee collects. A licensee satisfies the requirement to categorize the nonpublic personal financial information it collects if the licensee categorizes it according to the source of the information, as applicable:
(i) Information from the consumer.
(ii) Information about the consumer's transactions with the licensee or its affiliates.
(iii) Information about the consumer's transactions with nonaffiliated third parties.
(iv) Information from a consumer reporting agency.
(2) Categories of nonpublic personal financial information a licensee discloses.
(i) A licensee satisfies the requirement to categorize nonpublic personal financial information it discloses if the licensee categorizes the information according to source, as described in subsection (c)(1), as applicable, and provides examples to illustrate the types of information in each category. These examples include:
(A) Information from the consumer, including application information, such as assets and income and identifying information, such as name, address and Social Security number.
(B) Transaction information, such as information about balances, payment history and parties to the transaction.
(C) Information from consumer reports, such as a consumer's creditworthiness and credit history.
(ii) A licensee does not adequately categorize the information that it discloses if the licensee uses only general terms, such as transaction information about the consumer.
(iii) If a licensee reserves the right to disclose all of the nonpublic personal financial information about consumers that it collects, the licensee may simply state that fact without describing the categories or examples of nonpublic personal financial information that the licensee discloses.
(3) Categories of affiliates and nonaffiliated third parties to whom the licensee discloses.
(i) A licensee satisfies the requirement to categorize the affiliates and nonaffiliated third parties to which the licensee discloses nonpublic personal financial information about consumers if the licensee identifies the types of businesses in which they engage.
(ii) Types of businesses may be described by general terms only if the licensee uses illustrative examples of significant lines of business. For example, a licensee may use the term financial products or services if it includes appropriate examples of significant lines of businesses, such as life insurer, automobile insurer, consumer banking or securities brokerage.
(iii) A licensee also may categorize the affiliates and nonaffiliated third parties to which it discloses nonpublic personal financial information about consumers using more detailed categories.
(4) Disclosures under exception for service providers and joint marketers. If a licensee discloses nonpublic personal financial information under the exception in § 146a.31 to a nonaffiliated third party to market products or services that it offers alone or jointly with another financial institution, the licensee satisfies the disclosure requirement of subsection (a)(5) if it does all of the following:
(i) Lists the categories of nonpublic personal financial information it discloses, using the same categories and examples the licensee used to meet the requirements of subsection (a)(2), as applicable.
(ii) States whether the nonaffiliated third party is either:
(A) A service provider that performs marketing services on the licensee's behalf or on behalf of the licensee and another financial institution.
(B) A financial institution with whom the licensee has a joint marketing agreement.
(5) Simplified notices. If a licensee does not disclose, and does not wish to reserve the right to disclose, nonpublic personal financial information about customers or former customers to affiliates or nonaffiliated third parties except as authorized under §§ 146a.32 and 146a.33, the licensee may simply state that fact, in addition to the information it shall provide under subsection (a)(1), (8) and (9), and subsection (b).
(6) Confidentiality and security. A licensee describes its policies and practices with respect to protecting the confidentiality and security of nonpublic personal financial information if it does both of the following:
(i) Describes in general terms who is authorized to have access to the information.
(ii) States whether the licensee has security practices and procedures in place to ensure the confidentiality of the information in accordance with the licensee's policy. The licensee is not required to describe technical information about the safeguards it uses.
(d) Short-form initial notice with opt out notice for noncustomers .
(1) A licensee may satisfy the initial notice requirements in § 146a.11(a)(2) and § 146a.14(c) (relating to form of opt out notice to consumers and opt out methods) for a consumer who is not a customer by providing a short-form initial notice at the same time as the licensee delivers an opt out notice as required in § 146a.14.
(2) A short-form initial notice shall do all of the following:
(i) Be clear and conspicuous.
(ii) State that the licensee's privacy notice is available upon request.
(iii) Explain a reasonable means by which the consumer may obtain that notice.
(3) The licensee shall deliver its short-form initial notice according to § 146a.16 (relating to delivery). The licensee is not required to deliver its privacy notice with its short-form initial notice. The licensee instead may simply provide the consumer a reasonable means to obtain its privacy notice. If a consumer who receives the licensee's short-form notice requests the licensee's privacy notice, the licensee shall deliver its privacy notice according to § 146a.16.
(4) Examples of obtaining privacy notice are included in this paragraph. The licensee provides a reasonable means by which a consumer may obtain a copy of its privacy notice if the licensee does either of the following:
(i) Provides a toll-free telephone number that the consumer may call to request the notice.
(ii) For a consumer who conducts business in person at the licensee's office, maintains copies of the notice on hand that the licensee provides to the consumer immediately upon request.
(e) Future disclosures. The licensee's notice may include categories of:
(1) Nonpublic personal financial information that the licensee reserves the right to disclose in the future, but does not currently disclose.
(2) Affiliates or nonaffiliated third parties to whom the licensee reserves the right in the future to disclose, but to whom the licensee does not currently disclose, nonpublic personal financial information.
(f) Sample clauses and Federal model privacy form. Sample clauses illustrating some of the notice content required by this section are included in Appendix A (relating to sample clauses) and may be found in the Federal model privacy form in 16 CFR Part 313 , Appendix A (relating to model privacy form) or National Association of Insurance Commissioners Regulation # 672, Appendix B.

Notes

31 Pa. Code § 146a.13
The provisions of this §146a.13 amended August 9, 2019, effective 8/10/2019, 49 Pa.B. 4109.

The provisions of this §146a.13 amended under sections 206, 506, 1501 and 1502 of The Administrative Code of 1929 (71 P.S. §§ 66, 186, 411 and 412) and the Unfair Insurance Practices Act (40 P.S. §§ 1171.1-1171.15).

This section cited in 31 Pa. Code § 146a.11 (relating to initial privacy notice to consumers required); and 31 Pa. Code § 146a.14 (relating to form of opt out notice to consumers and opt out methods).

State regulations are updated quarterly; we currently have two versions available. Below is a comparison between our most recent version and the prior quarterly release. More comparison features will be added as we have more versions to compare.


No prior version found.