(a) General limitation on collection, use, and retention of consumer data—(1) In general. The third party will limit its collection, use, and retention of covered data to what is reasonably necessary to provide the consumer's requested product or service.

(2) Specific purposes. For purposes of paragraph (a)(1) of this section, the following are not part of, or reasonably necessary to provide, any other product or service:

(i) Targeted advertising;

(ii) Cross-selling of other products or services; or

(iii) The sale of covered data.

(b) Collection of covered data—(1) In general. Collection of covered data for purposes of paragraph (a) of this section includes the scope of covered data requested and the duration and frequency of collection of covered data.

(2) Maximum duration. In addition to the limitation described in paragraph (a) of this section, the third party will limit the duration of collection of covered data to a maximum period of one year after the consumer's most recent authorization.

(3) Reauthorization after maximum duration. To collect covered data beyond the one-year maximum period described in paragraph (b)(2) of this section, the third party will obtain a new authorization from the consumer pursuant to § 1033.401 no later than the anniversary of the most recent authorization from the consumer. The third party is permitted to ask the consumer for a new authorization pursuant to § 1033.401 in a reasonable manner. Indicia that a new authorization request is reasonable include its conformance to a consensus standard.

(c) Use of covered data. Use of covered data for purposes of paragraph (a) of this section includes both the third party's own use of covered data and provision of covered data by that third party to other third parties. Examples of uses of covered data that are permitted under paragraph (a) of this section include:

(1) Uses that are specifically required under other provisions of law, including to comply with a properly authorized subpoena or summons or to respond to a judicial process or government regulatory authority;

(2) Uses that are reasonably necessary to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability;

(3) Servicing or processing the product or service the consumer requested; and

(4) Uses that are reasonably necessary to improve the product or service the consumer requested.

(d) Accuracy. A third party will establish and maintain written policies and procedures that are reasonably designed to ensure that covered data are accurately received from a data provider and accurately provided to another third party, if applicable.

(1) Flexibility. A third party has flexibility to determine its policies and procedures in light of the size, nature, and complexity of its activities.

(2) Periodic review. A third party will periodically review its policies and procedures and update them as appropriate to ensure their continued effectiveness.

(3) Elements. In developing its policies and procedures regarding accuracy, a third party must consider, for example:

(i) Accepting covered data in a format required by § 1033.311(b); and

(ii) Addressing information provided by a consumer, data provider, or another third party regarding inaccuracies in the covered data.

(4) Indicia of compliance. Indicia that a third party's policies and procedures are reasonable include whether the policies and procedures conform to a consensus standard regarding accuracy.

(e) Data security. (1) A third party will apply to its systems for the collection, use, and retention of covered data an information security program that satisfies the applicable rules issued pursuant to section 501 of the Gramm-Leach-Bliley Act (15 U.S.C. 6801); or

(2) If the third party is not subject to section 501 of the Gramm-Leach-Bliley Act, the third party will apply to its systems for the collection, use, and retention of covered data the information security program required by the Federal Trade Commission's Standards for Safeguarding Customer Information, 16 CFR part 314.

(f) Provision of covered data to other third parties. Before providing covered data to another third party, subject to the limitation described in paragraphs (a) and (c) of this section, the third party will require the other third party by contract to comply with the third party obligations in paragraphs (a) through (f) of this section and the condition in paragraph (i) of this section upon receipt of the notice described in paragraph (h)(2) of this section.

(g) Ensuring consumers are informed. (1) Upon obtaining authorization to access covered data on the consumer's behalf, the third party will provide the consumer with a copy of the authorization disclosure that the consumer has signed electronically or in writing and that reflects the date of the consumer's electronic or written signature. The third party will deliver that copy of the authorization disclosure to the consumer or make it available in a location that is readily accessible to the consumer, such as the third party's interface. If the third party makes the authorization disclosure available in such a location, the third party will ensure it is accessible to the consumer until the third party's access to the consumer's covered data terminates.

(2) The third party will provide contact information that enables a consumer to receive answers to questions about the third party's access to the consumer's covered data. The contact information must be readily identifiable to the consumer.

(3) The third party will establish and maintain reasonable written policies and procedures designed to ensure that the third party provides to the consumer, upon request, the information listed in this paragraph (g)(3) about the third party's access to the consumer's covered data. The third party has flexibility to determine its policies and procedures in light of the size, nature, and complexity of its activities, and the third party will periodically review its policies and procedures and update them as appropriate to ensure their continued effectiveness. The policies and procedures must be designed to ensure that the third party provides the following to the consumer, upon request:

(i) Categories of covered data collected;

(ii) Reasons for collecting the covered data;

(iii) Names of parties with which the covered data was shared. The names must be readily understandable to the consumer;

(iv) Reasons for sharing the covered data;

(v) Status of the third party's authorization;

(vi) How the consumer can revoke the third party's authorization to access the consumer's covered data and verification the third party has adhered to requests for revocation; and

(vii) A copy of any data aggregator certification statement that was provided to the consumer pursuant to § 1033.431(c)(2).

(h) Revocation of third party authorization—(1) Provision of revocation method. The third party will provide the consumer with a method to revoke the third party's authorization to access the consumer's covered data that is as easy to access and operate as the initial authorization. The third party will also ensure the consumer is not subject to costs or penalties for revoking the third party's authorization.

(2) Notice of revocation. The third party will notify the data provider, any data aggregator, and other third parties to whom it has provided the consumer's covered data when the third party receives a revocation request from the consumer.

(i) Effect of maximum duration and revocation on collection, use, and retention. If a consumer does not provide a new authorization as described in paragraph (b)(3) of this section, or if a third party receives a revocation request as described in paragraph (h)(1) of this section or notice of a consumer's revocation request as described in § 1033.331(e), a third party will:

(1) No longer collect covered data pursuant to the most recent authorization; and

(2) No longer use or retain covered data that was previously collected pursuant to the most recent authorization unless use or retention of that covered data remains reasonably necessary to provide the consumer's requested product or service under paragraph (a) of this section.