(a) Simplified nondisclosure notice requirements. A covered entity that does not disclose, and does not reserve the right to disclose, nonpublic personal financial information about customers or former customers to nonaffiliated third parties except as authorized under §22.18 of this title (relating to Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Processing and Servicing Transactions) and §22.19 of this title (relating to Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information), may comply with this subchapter by providing a simplified notice that expresses:
(1) the nondisclosure policy stated in this subsection, and
(2) the information required by subsections (b)(1), (b)(8), (b)(9), and (c) of this section.
(b) Disclosure notice requirements. The initial, annual, and revised privacy notices a covered entity provides under §22.8 of this title (relating to Initial Privacy Notice), §22.9 of this title (relating to Annual Privacy Notice), and §22.12 of this title (relating to Revised Privacy Notices) must include the following items of information, in addition to any other information the covered entity wishes to provide, that applies to the covered entity and to the consumers to whom the covered entity sends its privacy notice.
(1) The categories of nonpublic personal financial information the covered entity collects. A covered entity satisfies the requirement to categorize the nonpublic personal financial information it collects when the covered entity categorizes it according to the source of the information, as applicable, including:
(2) The categories of nonpublic personal financial information the covered entity discloses.
(3) The categories of affiliates and nonaffiliated third parties to whom the covered entity discloses nonpublic personal financial information, other than those parties to whom the covered entity discloses information under §22.18 and §22.19 of this title.
(4) The categories of nonpublic personal financial information about the covered entity's former customers that the covered entity discloses and the categories of affiliates and nonaffiliated third parties to whom the covered entity discloses nonpublic personal financial information about the covered entity's former customers, other than those parties to whom the covered entity discloses information under §22.18 and §22.19 of this title.
(5) A separate description of the categories of information the covered entity discloses and the categories of third parties with whom the covered entity has contracted, if the covered entity discloses nonpublic personal financial information to a nonaffiliated third party under §22.17 of this title (relating to Exception to Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Service Providers and Joint Marketing) and no other exception in §22.18 and §22.19 of this title applies to that disclosure.
(6) An explanation of the consumer's right under §22.14(a) of this title (relating to Limits on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties) to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties, including the methods by which the consumer may exercise that right at that time.
(7) Any disclosures the covered entity makes under §603(d)(2)(A)(iii) of the federal FCRA (15 U.S.C. §1681a(d)(2)(A)(iii)) (that is, notices regarding the ability to opt out of disclosures of information among affiliates).
(8) The covered entity's policies and practices with respect to protecting the confidentiality and security of nonpublic personal financial information. A covered entity provides an adequate description of its policies and practices with respect to protecting the confidentiality and security of nonpublic personal financial information if it does both of the following:
(9) Any disclosure the covered entity makes under subsection (c) of this section.
(c) Description of nonaffiliated third parties subject to exceptions. A covered entity that discloses nonpublic personal financial information to third parties as authorized under §22.18 and §22.19 of this title is not required to list those exceptions in the initial or annual privacy notices required by §22.8 and §22.9 of this title. When describing the categories of parties to whom the covered entity makes disclosures, it is sufficient for the covered entity to state that it makes disclosures to other nonaffiliated companies:
(1) for the covered entity's everyday business purposes, such as (include all that apply) to process account transactions, maintain accounts, respond to court orders and legal investigations, or report to credit bureaus; or
(2) as permitted by law.
(d) Appropriate methods of categorizing affiliates and nonaffiliated third parties.
(1) A covered entity satisfies the requirement to categorize the affiliates and nonaffiliated third parties to which the covered entity discloses nonpublic personal financial information about consumers if the covered entity identifies the types of businesses in which they engage.
(2) Types of businesses may be described by general terms only if the covered entity uses illustrative examples of significant lines of business. For example, a covered entity may use the term "financial products or services" if the notice includes appropriate examples of significant lines of businesses or services, such as life insurer, automobile insurer, consumer banking, or securities brokerage.
(3) A covered entity also may categorize the affiliates and nonaffiliated third parties to which it discloses nonpublic personal financial information about consumers using more detailed categories.
(e) Disclosures under exception for service providers and joint marketers. A covered entity that discloses nonpublic personal financial information under the exception in §22.17 of this title to a nonaffiliated third party to market products or services it offers alone or jointly with another financial institution satisfies the disclosure requirement of subsection (b)(5) of this section if it:
(1) lists the categories of nonpublic personal financial information it discloses, using the same categories and examples the covered entity used to meet the requirements of subsection (a)(2) of this section, as applicable; and
(2) states whether the third party is:
(f) Short-form initial notice with opt out notice for noncustomers.
(1) A covered entity may satisfy the initial notice requirements in §22.8(a)(2) and §22.11(c) of this title (relating to Form of Opt Out Notice to Consumers and Opt Out Methods) for a consumer who is not a customer by providing a short-form initial notice at the same time as the covered entity delivers an opt out notice as required in §22.11 of this title.
(2) A short-form initial notice must:
(3) The covered entity must deliver its short-form initial notice according to §22.13 of this title (relating to Delivery). The covered entity is not required to deliver its privacy notice with its short-form initial notice. The covered entity may instead provide the consumer with a reasonable means to obtain its privacy notice. If a consumer who receives the covered entity's short-form notice requests the covered entity's privacy notice, the covered entity must deliver its privacy notice according to §22.13 of this title.
(4) The covered entity provides a reasonable means by which a consumer may obtain a copy of its privacy notice if the covered entity:
(g) Reservation of right to disclose. The covered entity's notice may include:
(1) categories of nonpublic personal financial information the covered entity reserves the right to disclose in the future, but does not currently disclose; and
(2) categories of affiliates or nonaffiliated third parties to whom the covered entity reserves the right in the future to disclose, but to whom the covered entity does not currently disclose, nonpublic personal financial information.
(h) Model privacy form. A model privacy form that meets the notice content requirements of this section appears in 74 Federal Register 62890 (December 1, 2009). A covered entity may use the applicable model privacy form, consistent with the instructions in §22.27 of this title (relating to General Instructions).
Source Note: The provisions of this §22.10 adopted to be effective December 17, 2001, 26 TexReg 10316; amended to be effective December 7, 2014, 39 TexReg 9566