Home
gpo.gov
govinfo.gov

e-CFR Navigation Aids

Browse

Simple Search

Advanced Search

 — Boolean

 — Proximity

 

Search History

Search Tips

Corrections

Latest Updates

User Info

FAQs

Agency List

Incorporation By Reference

eCFR logo

Related Resources

Electronic Code of Federal Regulations

We invite you to try out our new beta eCFR site at https://ecfr.federalregister.gov. We have made big changes to make the eCFR easier to use. Be sure to leave feedback using the Help button on the bottom right of each page!

e-CFR data is current as of October 22, 2020

Title 17Chapter IPart 160Subpart A → §160.5


Title 17: Commodity and Securities Exchanges
PART 160—PRIVACY OF CONSUMER FINANCIAL INFORMATION UNDER TITLE V OF THE GRAMM-LEACH-BLILEY ACT
Subpart A—Privacy and Opt Out Notices


§160.5   Annual privacy notice to customers required.

(a)(1) General rule. Except as provided by paragraph (d) of this section, you must provide a clear and conspicuous notice to customers that accurately reflects your privacy policies and practices not less than annually during the life of the customer relationship. Annually means at least once in any period of 12 consecutive months during which that relationship exists. You may define the 12-consecutive-month period, but you must apply it to the customer on a consistent basis.

(2) Example. You provide notice annually if you define the 12-consecutive-month period as a calendar year and provide the annual notice to the customer once in each calendar year following the calendar year in which you provided the initial notice. For example, if a customer opens an account on any day of year 1, you must provide an annual notice to that customer by December 31 of year 2.

(b)(1) Termination of customer relationship. You are not required to provide an annual notice to a former customer.

(2) Examples. Your customer becomes a former customer when:

(i) The individual's commodity interest account is closed;

(ii) The individual's advisory contract or subscription is terminated or expires; or

(iii) The individual has redeemed all of his or her units in your pool.

(c) Delivery of notice. When you are required by this section to deliver an annual privacy notice, you must deliver it in the manner provided by §160.9.

(d) Exception to annual privacy notice requirement. (1) You are not required to deliver an annual privacy notice if you:

(i) Provide nonpublic personal information to nonaffiliated third parties only in accordance with the provisions of §§160.13, 160.14, and 160.15 and any other exceptions adopted by the Commission pursuant to section 504(b) of the GLB Act; and

(ii) Have not changed your policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed to the customer under §160.6(a)(2) through (5) and §160.6(a)(9) in the most recent privacy notice sent to the customer pursuant to this part.

(2) Delivery of annual privacy notice after you no longer meet requirements for exception. If you have been excepted from delivering an annual privacy notice pursuant to paragraph (d)(1) of this section and change your policies or practices in such a way that you no longer meet the requirements for that exception, you must comply with paragraph (d)(2)(i) or (ii) of this section, as applicable.

(i) Changes preceded by a revised privacy notice. If you no longer meet the requirements of paragraph (d)(1) of this section because you change your policies or practices in such a way that §160.8 of this part requires you to provide a revised privacy notice, you must provide an annual privacy notice in accordance with the timing requirements in paragraph (a) of this section, treating the revised privacy notice as an initial privacy notice.

(ii) Changes not preceded by a revised privacy notice. If you no longer meet the requirements of paragraph (d)(1) of this section because you change your policies or practices in such a way that §160.8 of this part does not require you to provide a revised privacy notice, you must provide an annual privacy notice within 100 days of the change in your policies or practices that causes you to no longer meet the requirements of paragraph (d)(1) of this section.

[66 FR 21252, Apr. 27, 2001, as amended at 84 FR 17345, Apr. 25, 2019]

Need assistance?