Collapse to view only § 6809. Definitions
- § 6801. Protection of nonpublic personal information
- § 6802. Obligations with respect to disclosures of personal information
- § 6803. Disclosure of institution privacy policy
- § 6804. Rulemaking
- § 6805. Enforcement
- § 6806. Relation to other provisions
- § 6807. Relation to State laws
- § 6808. Study of information sharing among financial affiliates
- § 6809. Definitions
§ 6801. Protection of nonpublic personal information
(a) Privacy obligation policy
(b) Financial institutions safeguards
In furtherance of the policy in subsection (a), each agency or authority described in section 6805(a) of this title, other than the Bureau of Consumer Financial Protection, shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical, and physical safeguards—
(1) to insure the security and confidentiality of customer records and information;
(2) to protect against any anticipated threats or hazards to the security or integrity of such records; and
(3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
(Pub. L. 106–102, title V, § 501, Nov. 12, 1999, 113 Stat. 1436; Pub. L. 111–203, title X, § 1093(1), July 21, 2010, 124 Stat. 2095.)
§ 6802. Obligations with respect to disclosures of personal information
(a) Notice requirements
(b) Opt out
(1) In generalA financial institution may not disclose nonpublic personal information to a nonaffiliated third party unless—
(A) such financial institution clearly and conspicuously discloses to the consumer, in writing or in electronic form or other form permitted by the regulations prescribed under section 6804 of this title, that such information may be disclosed to such third party;
(B) the consumer is given the opportunity, before the time that such information is initially disclosed, to direct that such information not be disclosed to such third party; and
(C) the consumer is given an explanation of how the consumer can exercise that nondisclosure option.
(2) Exception
(c) Limits on reuse of information
(d) Limitations on the sharing of account number information for marketing purposes
(e) General exceptionsSubsections (a) and (b) shall not prohibit the disclosure of nonpublic personal information—
(1) as necessary to effect, administer, or enforce a transaction requested or authorized by the consumer, or in connection with—
(A) servicing or processing a financial product or service requested or authorized by the consumer;
(B) maintaining or servicing the consumer’s account with the financial institution, or with another entity as part of a private label credit card program or other extension of credit on behalf of such entity; or
(C) a proposed or actual securitization, secondary market sale (including sales of servicing rights), or similar transaction related to a transaction of the consumer;
(2) with the consent or at the direction of the consumer;
(3)
(A) to protect the confidentiality or security of the financial institution’s records pertaining to the consumer, the service or product, or the transaction therein; (B) to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability; (C) for required institutional risk control, or for resolving customer disputes or inquiries; (D) to persons holding a legal or beneficial interest relating to the consumer; or (E) to persons acting in a fiduciary or representative capacity on behalf of the consumer;
(4) to provide information to insurance rate advisory organizations, guaranty funds or agencies, applicable rating agencies of the financial institution, persons assessing the institution’s compliance with industry standards, and the institution’s attorneys, accountants, and auditors;
(5) to the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978 [12 U.S.C. 3401 et seq.], to law enforcement agencies (including the Bureau of Consumer Financial Protection 1
1 So in original. Probably should be followed by a comma.
a Federal functional regulator, the Secretary of the Treasury with respect to subchapter II of chapter 53 of title 31, and chapter 2 of title I of Public Law 91–508 (12 U.S.C. 1951–1959), a State insurance authority, or the Federal Trade Commission), self-regulatory organizations, or for an investigation on a matter related to public safety;(6)
(A) to a consumer reporting agency in accordance with the Fair Credit Reporting Act [15 U.S.C. 1681 et seq.], or (B) from a consumer report reported by a consumer reporting agency;
(7) in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal information concerns solely consumers of such business or unit; or
(8) to comply with Federal, State, or local laws, rules, and other applicable legal requirements; to comply with a properly authorized civil, criminal, or regulatory investigation or subpoena or summons by Federal, State, or local authorities; or to respond to judicial process or government regulatory authorities having jurisdiction over the financial institution for examination, compliance, or other purposes as authorized by law.
(Pub. L. 106–102, title V, § 502, Nov. 12, 1999, 113 Stat. 1437; Pub. L. 111–203, title X, § 1093(2),
§ 6803. Disclosure of institution privacy policy
(a) Disclosure requiredAt the time of establishing a customer relationship with a consumer and not less than annually during the continuation of such relationship, a financial institution shall provide a clear and conspicuous disclosure to such consumer, in writing or in electronic form or other form permitted by the regulations prescribed under section 6804 of this title, of such financial institution’s policies and practices with respect to—
(1) disclosing nonpublic personal information to affiliates and nonaffiliated third parties, consistent with section 6802 of this title, including the categories of information that may be disclosed;
(2) disclosing nonpublic personal information of persons who have ceased to be customers of the financial institution; and
(3) protecting the nonpublic personal information of consumers.
(b) Regulations
(c) Information to be includedThe disclosure required by subsection (a) shall include—
(1) the policies and practices of the institution with respect to disclosing nonpublic personal information to nonaffiliated third parties, other than agents of the institution, consistent with section 6802 of this title, and including—
(A) the categories of persons to whom the information is or may be disclosed, other than the persons to whom the information may be provided pursuant to section 6802(e) of this title; and
(B) the policies and practices of the institution with respect to disclosing of nonpublic personal information of persons who have ceased to be customers of the financial institution;
(2) the categories of nonpublic personal information that are collected by the financial institution;
(3) the policies that the institution maintains to protect the confidentiality and security of nonpublic personal information in accordance with section 6801 of this title; and
(4) the disclosures required, if any, under section 1681a(d)(2)(A)(iii) of this title.
(d) Exemption for certified public accountants
(1) In generalThe disclosure requirements of subsection (a) do not apply to any person, to the extent that the person is—
(A) a certified public accountant;
(B) certified or licensed for such purpose by a State; and
(C) subject to any provision of law, rule, or regulation issued by a legislative or regulatory body of the State, including rules of professional conduct or ethics, that prohibits disclosure of nonpublic personal information without the knowing and expressed consent of the consumer.
(2) Limitation
(3) Definitions
(e) Model forms
(1) In general
(2) FormatA model form developed under paragraph (1) shall—
(A) be comprehensible to consumers, with a clear format and design;
(B) provide for clear and conspicuous disclosures;
(C) enable consumers easily to identify the sharing practices of a financial institution and to compare privacy practices among financial institutions; and
(D) be succinct, and use an easily readable type font.
(3) Timing
(4) Safe harbor
(f) Exception to annual notice requirementA financial institution that—
(1) provides nonpublic personal information only in accordance with the provisions of subsection (b)(2) or (e) of section 6802 of this title or regulations prescribed under section 6804(b) of this title, and
(2) has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in the most recent disclosure sent to consumers in accordance with this section,
shall not be required to provide an annual disclosure under this section until such time as the financial institution fails to comply with any criteria described in paragraph (1) or (2).
(Pub. L. 106–102, title V, § 503, Nov. 12, 1999, 113 Stat. 1439; Pub. L. 109–351, title VI, § 609, title VII, § 728, Oct. 13, 2006, 120 Stat. 1983, 2003; Pub. L. 114–94, div. G, title LXXV, § 75001, Dec. 4, 2015, 129 Stat. 1787.)
§ 6804. Rulemaking
(a) Regulatory authority
(1) Rulemaking
(A) In general
(B) CFTC
(C) Federal Trade Commission authority
(D) Rule of construction
(2) Coordination, consistency, and comparability
(3) Procedures and deadline
(b) Authority to grant exceptions
(Pub. L. 106–102, title V, § 504, Nov. 12, 1999, 113 Stat. 1439; Pub. L. 111–203, title X, § 1093(3), July 21, 2010, 124 Stat. 2095.)
§ 6805. Enforcement
(a) In generalSubject to subtitle B of the Consumer Financial Protection Act of 2010 [12 U.S.C. 5511 et seq.], this subchapter and the regulations prescribed thereunder shall be enforced by the Bureau of Consumer Financial Protection, the Federal functional regulators, the State insurance authorities, and the Federal Trade Commission with respect to financial institutions and other persons subject to their jurisdiction under applicable law, as follows:
(1) Under section 1818 of title 12, by the appropriate Federal banking agency, as defined in section 1813(q) of title 12, in the case of—
(A) national banks, Federal branches and Federal agencies of foreign banks, and any subsidiaries of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers);
(B) member banks of the Federal Reserve System (other than national banks), branches and agencies of foreign banks (other than Federal branches, Federal agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, organizations operating under section 25 or 25A of the Federal Reserve Act [12 U.S.C. 601 et seq., 611 et seq.], and bank holding companies and their nonbank subsidiaries or affiliates (except brokers, dealers, persons providing insurance, investment companies, and investment advisers);
(C) banks insured by the Federal Deposit Insurance Corporation (other than members of the Federal Reserve System), insured State branches of foreign banks, and any subsidiaries of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers); and
(D) savings associations the deposits of which are insured by the Federal Deposit Insurance Corporation, and any subsidiaries of such savings associations (except brokers, dealers, persons providing insurance, investment companies, and investment advisers).
(2) Under the Federal Credit Union Act [12 U.S.C. 1751 et seq.], by the Board of the National Credit Union Administration with respect to any federally insured credit union, and any subsidiaries of such an entity.
(3) Under the Securities Exchange Act of 1934 [15 U.S.C. 78a et seq.], by the Securities and Exchange Commission with respect to any broker or dealer.
(4) Under the Investment Company Act of 1940 [15 U.S.C. 80a–1 et seq.], by the Securities and Exchange Commission with respect to investment companies.
(5) Under the Investment Advisers Act of 1940 [15 U.S.C. 80b–1 et seq.], by the Securities and Exchange Commission with respect to investment advisers registered with the Commission under such Act.
(6) Under State insurance law, in the case of any person engaged in providing insurance, by the applicable State insurance authority of the State in which the person is domiciled, subject to
(7) Under the Federal Trade Commission Act [15 U.S.C. 41 et seq.], by the Federal Trade Commission for any other financial institution or other person that is not subject to the jurisdiction of any agency or authority under paragraphs (1) through (6) of this subsection.
(8) Under subtitle E of the Consumer Financial Protection Act of 2010 [12 U.S.C. 5561 et seq.], by the Bureau of Consumer Financial Protection, in the case of any financial institution and other covered person or service provider that is subject to the jurisdiction of the Bureau and any person subject to this subchapter, but not with respect to the standards under section 6801 of this title.
(b) Enforcement of section 6801
(1) In general
(2) Exception
(c) Absence of State action
(d) Definitions
(Pub. L. 106–102, title V, § 505, Nov. 12, 1999, 113 Stat. 1440; Pub. L. 111–203, title X, § 1093(4), (5), July 21, 2010, 124 Stat. 2096, 2097.)
§ 6806. Relation to other provisions
Except for the amendments made by subsections (a) and (b), nothing in this chapter shall be construed to modify, limit, or supersede the operation of the Fair Credit Reporting Act [15 U.S.C. 1681 et seq.], and no inference shall be drawn on the basis of the provisions of this chapter regarding whether information is transaction or experience information under section 603 of such Act [15 U.S.C. 1681a].
(Pub. L. 106–102, title V, § 506(c), Nov. 12, 1999, 113 Stat. 1442.)
§ 6807. Relation to State laws
(a) In general
(b) Greater protection under State law
(Pub. L. 106–102, title V, § 507, Nov. 12, 1999, 113 Stat. 1442; Pub. L. 111–203, title X, § 1093(6), July 21, 2010, 124 Stat. 2097.)
§ 6808. Study of information sharing among financial affiliates
(a) In general
The Secretary of the Treasury, in conjunction with the Federal functional regulators and the Federal Trade Commission, shall conduct a study of information sharing practices among financial institutions and their affiliates. Such study shall include—
(1) the purposes for the sharing of confidential customer information with affiliates or with nonaffiliated third parties;
(2) the extent and adequacy of security protections for such information;
(3) the potential risks for customer privacy of such sharing of information;
(4) the potential benefits for financial institutions and affiliates of such sharing of information;
(5) the potential benefits for customers of such sharing of information;
(6) the adequacy of existing laws to protect customer privacy;
(7) the adequacy of financial institution privacy policy and privacy rights disclosure under existing law;
(8) the feasibility of different approaches, including opt-out and opt-in, to permit customers to direct that confidential information not be shared with affiliates and nonaffiliated third parties; and
(9) the feasibility of restricting sharing of information for specific uses or of permitting customers to direct the uses for which information may be shared.
(b) Consultation
(c) Report
(Pub. L. 106–102, title V, § 508, Nov. 12, 1999, 113 Stat. 1442.)
§ 6809. DefinitionsAs used in this subchapter:
(1) Federal banking agency
(2) Federal functional regulatorThe term “Federal functional regulator” means—
(A) the Board of Governors of the Federal Reserve System;
(B) the Office of the Comptroller of the Currency;
(C) the Board of Directors of the Federal Deposit Insurance Corporation;
(D) the Director of the Office of Thrift Supervision;
(E) the National Credit Union Administration Board; and
(F) the Securities and Exchange Commission.
(3) Financial institution
(A) In general
(B) Persons subject to CFTC regulation
(C) Farm credit institutions
(D) Other secondary market institutions
(4) Nonpublic personal information
(A) The term “nonpublic personal information” means personally identifiable financial information—
(i) provided by a consumer to a financial institution;
(ii) resulting from any transaction with the consumer or any service performed for the consumer; or
(iii) otherwise obtained by the financial institution.
(B) Such term does not include publicly available information, as such term is defined by the regulations prescribed under section 6804 of this title.
(C) Notwithstanding subparagraph (B), such term—
(i) shall include any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any nonpublic personal information other than publicly available information; but
(ii) shall not include any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any nonpublic personal information.
(5) Nonaffiliated third party
(6) Affiliate
(7) Necessary to effect, administer, or enforceThe term “as necessary to effect, administer, or enforce the transaction” means—
(A) the disclosure is required, or is a usual, appropriate, or acceptable method, to carry out the transaction or the product or service business of which the transaction is a part, and record or service or maintain the consumer’s account in the ordinary course of providing the financial service or financial product, or to administer or service benefits or claims relating to the transaction or the product or service business of which it is a part, and includes—
(i) providing the consumer or the consumer’s agent or broker with a confirmation, statement, or other record of the transaction, or information on the status or value of the financial service or financial product; and
(ii) the accrual or recognition of incentives or bonuses associated with the transaction that are provided by the financial institution or any other party;
(B) the disclosure is required, or is one of the lawful or appropriate methods, to enforce the rights of the financial institution or of other persons engaged in carrying out the financial transaction, or providing the product or service;
(C) the disclosure is required, or is a usual, appropriate, or acceptable method, for insurance underwriting at the consumer’s request or for reinsurance purposes, or for any of the following purposes as they relate to a consumer’s insurance: Account administration, reporting, investigating, or preventing fraud or material misrepresentation, processing premium payments, processing insurance claims, administering insurance benefits (including utilization review activities), participating in research projects, or as otherwise required or specifically permitted by Federal or State law; or
(D) the disclosure is required, or is a usual, appropriate or acceptable method, in connection with—
(i) the authorization, settlement, billing, processing, clearing, transferring, reconciling, or collection of amounts charged, debited, or otherwise paid using a debit, credit or other payment card, check, or account number, or by other payment means;
(ii) the transfer of receivables, accounts or interests therein; or
(iii) the audit of debit, credit or other payment information.
(8) State insurance authority
(9) Consumer
(10) Joint agreement
(11) Customer relationship
(Pub. L. 106–102, title V, § 509, Nov. 12, 1999, 113 Stat. 1443.)