31 Pa. Code § 146a.13 - Information to be included in privacy notices
(a)
General rule. The
initial, annual and revised privacy notices that a licensee provides under
§§
146a.11,
146a.12 and
146a.15 (relating to initial
privacy notice to consumers required; annual privacy notice to customers
required; and revised privacy notices) shall include all of the following items
of information, in addition to other information the licensee wishes to
provide, that applies to the licensee and to the consumers to whom the licensee
sends its privacy notice:
(1) The categories
of nonpublic personal financial information that the licensee
collects.
(2) The categories of
nonpublic personal financial information that the licensee discloses.
(3) The categories of affiliates and
nonaffiliated third parties to whom the licensee discloses nonpublic personal
financial information, other than those parties to whom the licensee discloses
information under §§
146a.32 and
146a.33 (relating to exceptions to
notice and opt out requirements for disclosure of nonpublic personal financial
information for processing and servicing transactions; and other exceptions to
notice and opt out requirements for disclosure of nonpublic personal financial
information).
(4) The categories of
nonpublic personal financial information about the licensee's former customers
that the licensee discloses and the categories of affiliates and nonaffiliated
third parties to whom the licensee discloses nonpublic personal financial
information about the licensee's former customers, other than those parties to
whom the licensee discloses information under §§ 146a.32 and
146a.33.
(5) If a licensee discloses nonpublic
personal financial information to a nonaffiliated third party under §
146a.31 (relating to exception to opt out requirements for disclosure of
nonpublic personal financial information for service providers and joint
marketing) (and no other exception in §§
146a.32 and
146a.33 applies to that
disclosure), a separate description of the categories of information the
licensee discloses and the categories of nonaffiliated third parties with whom
the licensee has contracted.
(6) An
explanation of the consumer's right under §
146a.21(a)
(relating to limitation on disclosure of nonpublic personal financial
information to nonaffiliated third parties) to opt out of the disclosure of
nonpublic personal financial information to any nonaffiliated third parties,
including the methods by which the consumer may exercise that right at that
time.
(7) Any disclosures that the
licensee makes under section 603(d)(2)(A)(iii) of the Federal Fair Credit
Reporting Act (15 U.S.C.A.
§
1681a(d)(2)(A)(iii)).
(8) The licensee's policies and practices
with respect to protecting the confidentiality and security of nonpublic
personal financial information.
(9)
Any disclosure that the licensee makes under subsection
(b).
(b)
Description of parties subject to exceptions. If a licensee
discloses nonpublic personal financial information as authorized under
§§
146a.32 and
146a.33, the licensee is not
required to list those exceptions in the initial or annual privacy notices
required by §§
146a.11 and
146a.12. When describing the
categories of parties to whom disclosure is made, the licensee is required to
state only that it makes disclosures to other affiliated or nonaffiliated third
parties, as applicable, as permitted by law.
(c)
Examples.
(1)
Categories of nonpublic personal
financial information that the licensee collects. A licensee satisfies
the requirement to categorize the nonpublic personal financial information it
collects if the licensee categorizes it according to the source of the
information, as applicable:
(i) Information
from the consumer.
(ii) Information
about the consumer's transactions with the licensee or its
affiliates.
(iii) Information about
the consumer's transactions with nonaffiliated third parties.
(iv) Information from a consumer reporting
agency.
(2)
Categories of nonpublic personal financial information a licensee
discloses.
(i) A licensee satisfies
the requirement to categorize nonpublic personal financial information it
discloses if the licensee categorizes the information according to source, as
described in subsection (c)(1), as applicable, and provides examples to
illustrate the types of information in each category. These examples include:
(A) Information from the consumer, including
application information, such as assets and income and identifying information,
such as name, address and Social Security number.
(B) Transaction information, such as
information about balances, payment history and parties to the
transaction.
(C) Information from
consumer reports, such as a consumer's creditworthiness and credit
history.
(ii) A licensee
does not adequately categorize the information that it discloses if the
licensee uses only general terms, such as transaction information about the
consumer.
(iii) If a licensee
reserves the right to disclose all of the nonpublic personal financial
information about consumers that it collects, the licensee may simply state
that fact without describing the categories or examples of nonpublic personal
financial information that the licensee discloses.
(3)
Categories of affiliates and
nonaffiliated third parties to whom the licensee discloses.
(i) A licensee satisfies the requirement to
categorize the affiliates and nonaffiliated third parties to which the licensee
discloses nonpublic personal financial information about consumers if the
licensee identifies the types of businesses in which they engage.
(ii) Types of businesses may be described by
general terms only if the licensee uses illustrative examples of significant
lines of business. For example, a licensee may use the term financial products
or services if it includes appropriate examples of significant lines of
businesses, such as life insurer, automobile insurer, consumer banking or
securities brokerage.
(iii) A
licensee also may categorize the affiliates and nonaffiliated third parties to
which it discloses nonpublic personal financial information about consumers
using more detailed categories.
(4)
Disclosures under exception for
service providers and joint marketers. If a licensee discloses
nonpublic personal financial information under the exception in §
146a.31 to a nonaffiliated third
party to market products or services that it offers alone or jointly with
another financial institution, the licensee satisfies the disclosure
requirement of subsection (a)(5) if it does all of the following:
(i) Lists the categories of nonpublic
personal financial information it discloses, using the same categories and
examples the licensee used to meet the requirements of subsection (a)(2), as
applicable.
(ii) States whether the
nonaffiliated third party is either:
(A) A
service provider that performs marketing services on the licensee's behalf or
on behalf of the licensee and another financial institution.
(B) A financial institution with whom the
licensee has a joint marketing agreement.
(5)
Simplified notices. If a
licensee does not disclose, and does not wish to reserve the right to disclose,
nonpublic personal financial information about customers or former customers to
affiliates or nonaffiliated third parties except as authorized under
§§
146a.32 and
146a.33, the licensee may simply
state that fact, in addition to the information it shall provide under
subsection (a)(1), (8) and (9), and subsection (b).
(6)
Confidentiality and
security. A licensee describes its policies and practices with respect
to protecting the confidentiality and security of nonpublic personal financial
information if it does both of the following:
(i) Describes in general terms who is
authorized to have access to the information.
(ii) States whether the licensee has security
practices and procedures in place to ensure the confidentiality of the
information in accordance with the licensee's policy. The licensee is not
required to describe technical information about the safeguards it
uses.
(d)
Short-form initial notice with opt out notice for noncustomers
.
(1) A licensee may satisfy the initial
notice requirements in §
146a.11(a)(2) and
§
146a.14(c)
(relating to form of opt out notice to consumers and opt out methods) for a
consumer who is not a customer by providing a short-form initial notice at the
same time as the licensee delivers an opt out notice as required in §
146a.14.
(2) A short-form initial
notice shall do all of the following:
(i) Be
clear and conspicuous.
(ii) State
that the licensee's privacy notice is available upon request.
(iii) Explain a reasonable means by which the
consumer may obtain that notice.
(3) The licensee shall deliver its short-form
initial notice according to §
146a.16 (relating to delivery).
The licensee is not required to deliver its privacy notice with its short-form
initial notice. The licensee instead may simply provide the consumer a
reasonable means to obtain its privacy notice. If a consumer who receives the
licensee's short-form notice requests the licensee's privacy notice, the
licensee shall deliver its privacy notice according to §
146a.16.
(4) Examples of obtaining
privacy notice are included in this paragraph. The licensee provides a
reasonable means by which a consumer may obtain a copy of its privacy notice if
the licensee does either of the following:
(i) Provides a toll-free telephone number
that the consumer may call to request the notice.
(ii) For a consumer who conducts business in
person at the licensee's office, maintains copies of the notice on hand that
the licensee provides to the consumer immediately upon request.
(e)
Future
disclosures. The licensee's notice may include categories of:
(1) Nonpublic personal financial information
that the licensee reserves the right to disclose in the future, but does not
currently disclose.
(2) Affiliates
or nonaffiliated third parties to whom the licensee reserves the right in the
future to disclose, but to whom the licensee does not currently disclose,
nonpublic personal financial information.
(f)
Sample clauses and Federal model
privacy form. Sample clauses illustrating some of the notice content
required by this section are included in Appendix A (relating to sample
clauses) and may be found in the Federal model privacy form in 16 CFR Part 313
, Appendix A (relating to model privacy form) or National Association of
Insurance Commissioners Regulation # 672, Appendix B.
Notes
The provisions of this §146a.13 amended under sections 206, 506, 1501 and 1502 of The Administrative Code of 1929 (71 P.S. §§ 66, 186, 411 and 412) and the Unfair Insurance Practices Act (40 P.S. §§ 1171.1-1171.15).
State regulations are updated quarterly; we currently have two versions available. Below is a comparison between our most recent version and the prior quarterly release. More comparison features will be added as we have more versions to compare.
No prior version found.