Utah Admin. Code R590-206-17 - Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information

(1) The initial notice requirements under Subsection R590-206-5(1)(b), the opt out requirements under Sections R590-206-8 and R590-206-12, and the service provider and joint marketing requirements under Section R590-206-15 do not apply when a licensee discloses nonpublic personal financial information:

(a) with the consent, or at the direction of, a consumer, provided the consumer has not revoked the consent or direction;

(b) to protect:

(i) the confidentiality or security of a licensee's records pertaining to a consumer, service, product, or transaction;

(ii) against, or prevent, actual or potential fraud or an unauthorized transaction;

(iii) against institutional risk control or resolving a consumer dispute or inquiry;

(iv) a person holding a legal or beneficial interest relating to the consumer; or

(v) a person acting in a fiduciary or representative capacity on behalf of the consumer;

(c) to provide information to an insurance rate advisory organization, a guaranty fund, an agency, an agency that rates a licensee, a person that assesses the licensee's compliance with industry standards, and the licensee's attorney, accountant, and auditor;

(d) to the extent permitted under the Right to Financial Privacy Act of 1978, U.S.C. 3401 et seq., to a law enforcement agency, a state insurance department, the Federal Trade Commission, a self-regulatory organization, or for an investigation on a matter related to public safety;

(e)

(i) to a consumer reporting agency under the Fair Credit Reporting Act, 15 U.S.C. 1681 et seq.; or

(ii) from a consumer report from a consumer reporting agency;

(f) in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal financial information concerns solely a consumer of the business or unit;

(g)

(i) to comply with a federal, state, or local law, rule, or other legal requirement;

(ii) to comply with a civil, criminal, or regulatory investigation, or a subpoena or summons by a federal, state, or local authority; or

(iii) to respond to a judicial process or government regulatory authority having jurisdiction over a licensee for examination, compliance, or another purpose, as authorized by law; or

(h) for purposes related to the replacement of a group benefit plan, a group health plan, a group welfare plan, or a workers' compensation policy.

(2) An insurer subject to a formal delinquency proceeding under Section 31A-27a-207, 31A-27a-301, or 31A-27a-401 is not subject to the requirements of Subsection R590-206-5(1)(b) or the opt out requirements of this rule.

(3) A consumer may revoke consent by exercising the right to opt out of future disclosures of nonpublic personal information under Subsection R590-206-8(6).

Notes

Utah Admin. Code R590-206-17

Amended by Utah State Bulletin Number 2017-15, effective 7/11/2017 Adopted by Utah State Bulletin Number 2023-23, effective 11/21/2023