About GPO   |   Newsroom/Media   |   Congressional Relations   |   Inspector General   |   Careers   |   Contact   |   askGPO   |   Help  
 
Home   |   Customers   |   Vendors   |   Libraries  

The Electronic Code of Federal Regulations (e-CFR) is a regularly updated, unofficial editorial compilation of CFR material and Federal Register amendments produced by the National Archives and Records Administration's Office of the Federal Register (OFR) and the Government Printing Office.

Parallel Table of Authorities and Rules for the Code of Federal Regulations and the United States Code
Text | PDF

Find, review, and submit comments on Federal rules that are open for comment and published in the Federal Register using Regulations.gov.

Purchase individual CFR titles from the U.S. Government Online Bookstore.

Find issues of the CFR (including issues prior to 1996) at a local Federal depository library.

[2]
 
 

Electronic Code of Federal Regulations

e-CFR Data is current as of September 11, 2014

Title 16Chapter ISubchapter CPart 313Subpart A → §313.6


Title 16: Commercial Practices
PART 313—PRIVACY OF CONSUMER FINANCIAL INFORMATION
Subpart A—Privacy and Opt Out Notices


§313.6   Information to be included in privacy notices.

(a) General rule. The initial, annual, and revised privacy notices that you provide under §§313.4, 313.5, and 313.8 must include each of the following items of information that applies to you or to the consumers to whom you send your privacy notice, in addition to any other information you wish to provide:

(1) The categories of nonpublic personal information that you collect;

(2) The categories of nonpublic personal information that you disclose;

(3) The categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information, other than those parties to whom you disclose information under §§313.14 and 313.15;

(4) The categories of nonpublic personal information about your former customers that you disclose and the categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information about your former customers, other than those parties to whom you disclose information under §§313.14 and 313.15;

(5) If you disclose nonpublic personal information to a nonaffiliated third party under §313.13 (and no exception under §313.14 or §313.15 applies to that disclosure), a separate statement of the categories of information you disclose and the categories of third parties with whom you have contracted;

(6) An explanation of the consumer's right under §313.10(a) to opt out of the disclosure of nonpublic personal information to nonaffiliated third parties, including the method(s) by which the consumer may exercise that right at that time;

(7) Any disclosures that you make under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)) (that is, notices regarding the ability to opt out of disclosures of information among affiliates);

(8) Your policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; and

(9) Any disclosure that you make under paragraph (b) of this section.

(b) Description of nonaffiliated third parties subject to exceptions. If you disclose nonpublic personal information to third parties as authorized under §§313.14 and 313.15, you are not required to list those exceptions in the initial or annual privacy notices required by §§313.4 and 313.5. When describing the categories with respect to those parties, it is sufficient to state that you make disclosures to other nonaffiliated companies for your everyday business purposes, such as to process transactions, maintain account(s), respond to court orders and legal investigations, or report to credit bureaus.

(c) Examples—(1) Categories of nonpublic personal information that you collect. You satisfy the requirement to categorize the nonpublic personal information that you collect if you list the following categories, as applicable:

(i) Information from the consumer;

(ii) Information about the consumer's transactions with you or your affiliates;

(iii) Information about the consumer's transactions with nonaffiliated third parties; and

(iv) Information from a consumer reporting agency.

(2) Categories of nonpublic personal information you disclose—(i) You satisfy the requirement to categorize the nonpublic personal information that you disclose if you list the categories described in paragraph (e)(1) of this section, as applicable, and a few examples to illustrate the types of information in each category.

(ii) If you reserve the right to disclose all of the nonpublic personal information about consumers that you collect, you may simply state that fact without describing the categories or examples of the nonpublic personal information you disclose.

(3) Categories of affiliates and nonaffiliated third parties to whom you disclose. You satisfy the requirement to categorize the affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information if you list them using the following categories, as applicable, and a few applicable examples to illustrate the significant types of third parties covered in each category.

(i) Financial service providers, followed by illustrative examples such as mortgage bankers, securities broker-dealers, and insurance agents.

(ii) Non-financial companies, followed by illustrative examples such as retailers, magazine publishers, airlines, and direct marketers; and

(iii) Others, followed by examples such as nonprofit organizations.

(4) Disclosures under exception for service providers and joint marketers. If you disclose nonpublic personal information under the exception in §313.13 to a nonaffiliated third party to market products or services that you offer alone or jointly with another financial institution, you satisfy the disclosure requirement of paragraph (a)(5) of this section if you:

(i) List the categories of nonpublic personal information you disclose, using the same categories and examples you used to meet the requirements of paragraph (a)(2) of this section, as applicable; and

(ii) State whether the third party is:

(A) A service provider that performs marketing services on your behalf or on behalf of you and another financial institution; or

(B) A financial institution with whom you have a joint marketing agreement.

(5) Simplified notices. If you do not disclose, and do not wish to reserve the right to disclose, nonpublic personal information about customers or former customers to affiliates or nonaffiliated third parties except as authorized under §§313.14 and 313.15, you may simply state that fact, in addition to the information you must provide under paragraphs (a)(1), (a)(8), (a)(9), and (b) of this section.

(6) Confidentiality and security. You describe your policies and practices with respect to protecting the confidentiality and security of nonpublic personal information if you do both of the following:

(i) Describe in general terms who is authorized to have access to the information; and

(ii) State whether you have security practices and procedures in place to ensure the confidentiality of the information in accordance with your policy. You are not required to describe technical information about the safeguards you use.

(d) Short-form initial notice with opt out notice for non-customers—(1) You may satisfy the initial notice requirements in §§313.4(a)(2), 313.7(b), and 313.7(c) for a consumer who is not a customer by providing a short-form initial notice at the same time as you deliver an opt out notice as required in §313.7.

(2) A short-form initial notice must:

(i) Be clear and conspicuous;

(ii) State that your privacy notice is available upon request; and

(iii) Explain a reasonable means by which the consumer may obtain that notice.

(3) You must deliver your short-form initial notice according to §313.9. You are not required to deliver your privacy notice with your short-form initial notice. You instead may simply provide the consumer a reasonable means to obtain your privacy notice. If a consumer who receives your short-form notice requests your privacy notice, you must deliver your privacy notice according to §313.9.

(4) Examples of obtaining privacy notice. You provide a reasonable means by which a consumer may obtain a copy of your privacy notice if you:

(i) Provide a toll-free telephone number that the consumer may call to request the notice; or

(ii) For a consumer who conducts business in person at your office, maintain copies of the notice on hand that you provide to the consumer immediately upon request.

(e) Future disclosures. Your notice may include:

(1) Categories of nonpublic personal information that you reserve the right to disclose in the future, but do not currently disclose; and

(2) Categories of affiliates or nonaffiliated third parties to whom you reserve the right in the future to disclose, but to whom you do not currently disclose, nonpublic personal information.

(f) Model privacy form. Pursuant to §313.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in appendix A of this part.

[65 FR 33677, May 24, 2000, as amended at 74 FR 62965, Dec. 1, 2009]



For questions or comments regarding e-CFR editorial content, features, or design, email ecfr@nara.gov.
For questions concerning e-CFR programming and delivery issues, email webteam@gpo.gov.