FINANCIAL INFORMATION PRIVACY PROTECTION ACT

NATIONAL CONFERENCE OF INSURANCE LEGISLATORS
FINANCIAL INFORMATION PRIVACY PROTECTION MODEL ACT

Adopted by the NCOIL Executive Committee on November 17, 2000.
Amended on March 2, 2001.
Amendments are in boldface.
TABLE OF CONTENTS

FINANCIAL INFORMATION PRIVACY PROTECTION MODEL ACT

CHAPTER ONE: TITLE, PURPOSE & DEFINITIONS 1

Section 101: Short Title 1

Section 102: Purpose 1

Section 103: Scope 2

Section 104: Definitions 2

Section 105: Nondiscrimination 9

CHAPTER TWO: PRIVACY AND OPT OUT NOTICES 10

Section 201: Initial privacy notice to consumers required 10

Section 202: Annual privacy notice to customers required 12

Section 203: Information to be included in privacy notices 13

Section 204: Form of opt out notice to consumers; opt out methods 15

Section 205: Revised privacy notices 17

Section 206: Delivering privacy and opt out notices 17

~~Section 207: Nondiscrimination 19~~

CHAPTER THREE: LIMITS ON DISCLOSURE 19

Section 301: Limits on disclosure of nonpublic personal financial information to

nonaffiliated third parties 19

Section 302: Limits on redisclosure and reuse of information 20

Section 303: Limits on sharing policy or contract number information for

marketing purposes 22

CHAPTER FOUR: EXCEPTIONS 22

Section 401: Exception to opt out requirements for service providers and joint

marketing 22

Section 402: Exceptions to notice and opt out requirements for processing and

servicing transactions 23

Section 403: Other exceptions to notice and opt out requirements 25

CHAPTER FIVE: PERSONALLY IDENTIFIABLE HEALTH INFORMATION 27

Section 501: Personally identifiable health information privacy notice and

disclosure authorization 27

CHAPTER SIX: RELATION TO OTHER LAWS; EFFECTIVE DATE 28

Section 601: Protection of Fair Credit Reporting Acts 28

Section 602: Protection of Health Insurance Portability and Accountability Act 29

Section 603: Determined violation 29

Section 604: Rules and Regulations 29

Section ~~605~~ 604: Effective date; transition rule 29

NATIONAL CONFERENCE OF INSURANCE LEGISLATORS

FINANCIAL INFORMATION PRIVACY PROTECTION MODEL ACT

CHAPTER ONE: TITLE, PURPOSE & DEFINITIONS

Section 101: Short Title

This Act shall be known and may be cited as the "Financial Information Privacy Protection Model Act."

Section 102: Purpose

This Act shall be liberally construed and applied to promote uniformity and functional regulation by:

A. implementing Title V of the Gramm-Leach-Bliley Act ("GLBA") (15 U.S.C. 6801, et.seq.,), that requires financial institutions, including insurers, to respect the privacy of their customers and to protect the security and confidentiality of those customers' nonpublic personal financial information;

B. establishing appropriate consumer privacy standards for insurance providers to be administered by this State's insurance regulatory authorities;

C. ensuring, pursuant to Section 6805(c) of GLBA, that this State shall be eligible to override, pursuant to Section 47(g)(2)(B)(iii) of the Federal Deposit Insurance Act, the insurance customer protections prescribed by a Federal banking agency under Section 45(a) of such Act;

D. requiring, pursuant to Sections 6802 and 6803 of GLBA that insurers maintain a privacy policy that is clearly communicated to customers and, under certain circumstances, to consumers and, that, subject to appropriate exceptions, no "nonpublic personal financial information" be disclosed to nonaffiliated third parties unless a consumer has been given a chance to "opt out" of having his or her information disclosed, that disclosure is authorized in the case of personally identifiable health information, and that no specific account information be given to direct marketing firms, as provided in Section 501;

E. providing for the enforcement of this Act by this State's insurance regulatory authorities; and

F. authorizing this State's insurance regulatory authorities to promulgate regulations as determined to be necessary to effectuate the purposes of this Act.

Section 103: Scope

This Act:

A. requires a licensee to provide notice to customers and, under certain

circumstances, to consumers about its privacy policies and practices;

B. describes the conditions under which a licensee may disclose nonpublic personal information about consumers and customers to nonaffiliated third parties;

C. provides a method for consumers and customers to prevent a licensee from

disclosing that information unless otherwise exempted as routine business disclosures in Sections 401, 402, 403 or 501;

D. establishes reasonable exceptions in Sections 401, 402, and 403 of this Act to the

notice requirements of licensees and the ability of consumers and customers to "opt out" of or to authorize certain disclosures; and

E. applies only to nonpublic personal information about individuals who obtain

financial products or services in this State from an insurer for personal, family or household purposes. This Act does not apply to information about companies or individuals who obtain financial products or services for business, commercial, or agricultural purposes. In particular, this Act does not apply to commercial insurance policies issued by the licensee.

Section 104: Definitions

As used in this Act, unless the context requires otherwise:

A. "Affiliate" means any company that controls, is controlled by, or is under

common control with another company.

B. “Agent” means [insert state definition].

C. "Clear and conspicuous" means that a notice is reasonably understandable and

designed to call attention to the nature and significance of the information in the notice.

D. "Collect" means to obtain information that the licensee organizes or can retrieve

by the name of an individual or by identifying number, symbol, or other identifying particular assigned to the individual, irrespective of the source of the underlying information.

E. "Company" means any corporation, limited liability company, business trust,

general or limited partnership, association, sole proprietorship or similar organization.

F. "Consumer" means an individual who seeks to obtain, obtains, or has obtained an

insurance product or service in this state from a licensee, or that individual's legal representative, that is to be used primarily for personal, family, or household purposes, and about whom the licensee has nonpublic personal information.

1. A consumer is, including but not limited to:

a.1. an individual who provides nonpublic personal information to a licensee in connection with seeking to obtain or obtaining financial, insurance, investment or economic advisory services regardless of whether the licensee establishes an ongoing relationship; or

b.2. an applicant for insurance prior to the inception of insurance coverage;.

3. an individual who provides nonpublic personal information to a licensee in order to obtain a determination about whether he or she may qualify for a loan to be used primarily for personal, family, or household purposes, regardless of whether the loan is extended;

2.4. ~~and, an~~ An individual is not a licensee's consumer for reasons including but not limited to~~, because~~:

(a) he or she is a beneficiary of a trust for which the licensee is a trustee,

(b) he or she is a third party liability claimant,

(c) he or she has designated the licensee as trustee for a trust, or

(d) he or she is a consumer of another financial institution to which the licensee acts as agent for, or provides processing or other services~~; and~~.

3.5. an An individual is also not a licensee’s consumer because:

(a) he or she is a participant or a beneficiary of an employee benefit plan that the licensee administers or sponsors or for which the licensee acts as a trustee, insurer or fiduciary; or

(b) he or she is covered under a group or blanket insurance policy or group annuity contract issued by the licensee:

(i) provided that the licensee provides the initial, annual and revised notices under Section 201, 202 and 203 of this Act to the plan sponsor, group or blanket insurance policyholder or group annuity

contractholder;

(ii) and further provided that the licensee does not disclose to a nonaffiliated third party nonpublic personal financial information about such an individual other than as permitted under Sections 401, 402 and 403 of this Act.

In no event shall the individuals, solely by virtue of the status described in subparagraphs 5(a) and (b) above, be deemed to be customers for purposes of this Act.

G. "Consumer reporting agency" has the same meaning as in Section 603(f) of the

Federal Fair Credit Reporting Act (15 U.S.C. 1681a(f)) and [insert reference to analogous state fair credit law, if applicable].

H. "Control" means :

1. ownership, control or power to vote twenty-five percent (25%) or more of the outstanding shares of any class of voting security of the company, directly or indirectly, or acting through one or more other persons;

2. control in any manner over the election of a majority of the directors, trustees or general partners (or individuals exercising similar functions) of the company; or

3. the power to exercise, directly or indirectly, a controlling influence over the management or policies of the company, as the Commissioner determines.

I. "Customer" means a consumer who has a customer relationship with a licensee.

In no event, however, shall a beneficiary or a claimant under a policy of insurance, solely by virtue of their status as a beneficiary or claimant, be deemed to be a customer for the purposes of this Act.

J. "Customer relationship" means a continuing relationship between a

consumer and a licensee under which the licensee provides one or more financial products

or services to the consumer that are to be used primarily for personal, family, or household

purposes, including, but not limited to, if the consumer:

1. is a current policyholder of an insurance product or other product issued by or through a licensee;

2. obtains financial, investment or economic advisory services relating to an insurance product or service from a licensee for a fee.

K. "Financial institution" means the same as that term is defined in Section 509(3) of GLBA, and is as follows:

1. IN GENERAL – The term ‘financial institution’ means any institution the business of which is engaging in financial activities as described in Section 4(k) of the Bank Holding Company Act of 1956.

2. PERSONS SUBJECT TO CFTC REGULATION – Notwithstanding subparagraph (1), the term ‘financial institution’ does not include any person or entity with respect to any financial activity that is subject to the jurisdiction of the Commodity Futures Trading Commission under the Commodity Exchange Act.

3. FARM CREDIT INSTITUTIONS – Notwithstanding subparagraph (1), the term ‘financial institution’ does not include the Federal Agricultural Mortgage Corporation or any entity chartered and operating under the Farm Credit Act of 1971.

4. OTHER SECONDARY MARKET INSTITUTIONS – Notwithstanding subparagraph (1), the term ‘financial institution’ does not include institutions chartered by Congress specifically to engage in transactions described in Section 502(e)(1)(C), as long as such institutions do not sell or transfer nonpublic personal information to a nonaffiliated third party.

L. "Financial product or service" means any product or service that is offered by a licensee pursuant to this State's insurance code, including, but not limited to a licensee's evaluation or brokerage of information that the licensee collects in connection with a request or an application from a consumer for a financial product or service.

M. "Health information" means any information or data, except age or gender, whether oral or recorded in any form or medium, created by or derived from a health care provider or the consumer or customer that relates to:

1. the past, present or future physical, mental or behavioral health or condition of a consumer ~~or a member of the consumer's family~~;

2. the provision of health care to a consumer; or

3. payment for the provision of health care to a consumer.

N. "Licensee" means a person licensed, or required to be licensed, or authorized, or

required to be authorized, or registered, or required to be registered pursuant to the Insurance Law of this state, [a health maintenance organization holding, or required to hold, a certificate of authority pursuant to the law governing such organizations in this State]; or other covered entities.

[Drafting Note: The term “health maintenance organization” has been bracketed because state laws treat HMOs in different ways. Individual states may want to decide whether to include HMOs.]

1. A licensee that is a producer or independent insurance agent is subject to all the requirements of this Act, except when the producer or agent is acting as agent for a licensee. In that case, the producer acting as agent for a licensee is exempt ~~only~~ from the notice and opt out requirements~~, rather than all requirements,~~ of the Act, and only if such producer does not disclose consumer information other than as permitted by Sections 401, 402 and 403.

2. Employees or other representatives acting on behalf of a licensee are also exempt from the notice and opt out requirements of the Act where (a) the licensee complies with the notice provisions of this Act and (b) the employee or other representative does not disclose nonpublic personal information other than to the licensee or its affiliates in a manner permitted by this Act.

1.3. Subject to subparagraph 2, ~~“covered entities”~~ a licensee shall also include unauthorized insurers who place business through licensed excess line brokers in this state, but only in regard to the excess line placements placed pursuant to Section [insert section] of this state’s laws.

2.4. Licensed excess line brokers ~~placing business underwritten by covered entities and those covered entities~~ shall be deemed to be in compliance with the notice and opt out requirements for nonpublic personal financial information set forth in Chapters One, Two, Three, Four, and Six of this Act provided:

(a) such licensed excess line brokers ~~and covered entities~~ do not disclose nonpublic personal information of a consumer or a customer to nonaffiliated third parties for any purpose, including joint servicing or marketing under Section 401 of this Act, except as permitted by Section 402 or 403 of this Act; and

(b) at the time the customer relationship is established, a single notice is delivered to the consumer on behalf of all such licensed excess line brokers ~~and covered entities~~ involved in the provision of a financial product or service to a consumer or customer on which the following is printed in 16-point type:

PRIVACY NOTICE

“NEITHER THE U.S. BROKER(S) THAT HANDLED THIS INSURANCE NOR THE INSURER(S) THAT HAVE UNDERWRITTEN THIS INSURANCE WILL DISCLOSE NONPUBLIC PERSONAL INFORMATION CONCERNING THE BUYER TO NONAFFILIATES OF SUCH BROKER(S) OR SUCH INSURER(S) EXCEPT AS PERMITTED BY LAW.”

O. "Nonaffiliated third party" means any person, including, but not limited to any

company that is an affiliate solely by virtue of the licensee's or its affiliate's direct or indirect ownership or control of the company conducting: (i) merchant banking or investment banking activities of the type described in Section 4(k)(4)(H) of the Federal Bank Holding Company Act ; or (ii) insurance company investment activities of the type described in Section 4(k)(4)(I) of the Federal Bank Holding Company Act. (12 U.S.C. 1843(k)(4)(H) and (I), except:

1. the licensee's affiliate; or

2. a person employed jointly by a licensee and any company that is not the

licensee's affiliate. Nonaffiliated third party includes the other company that jointly employs the person.

P. "Nonpublic personal information" means nonpublic personal financial information and nonpublic personal health information.

Q. "Nonpublic personal financial information" means:

1. personally identifiable financial information; and

2. any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived using any personally identifiable financial information that is not publicly available; and

3. any list of individual's names and street addresses that is derived in whole or in part using personally identifiable financial information that is not publicly available, such as policy or contract numbers.

4. Nonpublic personal financial information does not include:

(a) health information;

(b) publicly available information, except as included on a list as described in subsection 4(d) of this Section; or

(c) any list, description, or other grouping of consumers (and publicly available information pertaining to them) that is derived without using any personally identifiable financial information that is not publicly available.

(d) any list of individual's names and addresses that contains only publicly available information that is not derived, in whole or in part, using personally identifiable information that is not publicly available, and that is not disclosed in a manner that indicates that any of the individuals on the list is a consumer of a financial institution.

R. "Nonpublic personal health information" means health information:

1. that identifies an individual who is the subject of the information; or

2. with respect to which there is a reasonable basis to believe that the information could be used to identify an individual.

S. "Opt out" means a direction by the consumer that a licensee not disclose

nonpublic personal financial information about that consumer to a nonaffiliated third party, other than as permitted by Sections 401, 402 and 403 of this Act.

T. "Personally identifiable financial information" means financial information:

1. a consumer provides to a licensee to obtain a financial product or service from

the licensee;

2. about a consumer resulting from any transaction involving a financial product or

service between a licensee and a consumer; or

3. a licensee otherwise obtains about a consumer in connection with providing a

financial product or service to that consumer.

U. "Personally identifiable health information" means health information:

1. (a) a consumer provides to a licensee to obtain a financial product or service from the licensee;

(b) about a consumer resulting from any transaction involving a financial product or service between a licensee and a consumer; or

(c) the licensee otherwise obtains about a consumer in connection with providing a financial product or service to that consumer; and

(d) that identifies a consumer who is the subject of the information; or

(e) with respect to which there is a reasonable basis to believe that the information could be used to identify a consumer.

2. Personally identifiable health information does not include personally identifiable, non-medical information such as name, address, social security number, age, gender, etc. if legally obtained by the licensee from a source other than the consumer's medical record, even if such information is also part of the consumer's medical record.

V. "Publicly available information" means any information that the licensee

has a reasonable basis to believe is lawfully made available to the general public from:

1. federal, state, or local government records;

2. widely distributed media; or

3. disclosures to the general public that are required to be made by Federal, state or local law.

W. "Reasonable basis" means the licensee has a reasonable basis to believe that

information is lawfully made available to the general public because the licensee has taken steps to determine:

1. that the information is of the type that is available to the general public; and

2. whether an individual can direct that the information not be made available to the

general public and, if so, that a licensee's consumer has not done so.

Section 105: Nondiscrimination

A. No licensee shall unfairly discriminate against any customer or consumer on the basis of the customer's or consumer's exercise of his or her right to opt out of the sharing of his or her nonpublic personal information in the manner provided in this Act. Nothing in this Section shall prohibit licensees from engaging in their usual, appropriate, or acceptable method for insurance underwriting.

B. Nothing in this Act requires a licensee to provide a benefit or commence or continue payment of a claim in the absence of nonpublic personal health information or nonpublic personal financial information to support or deny the claim.

that accurately reflects the licensee's privacy policies and practices to:

1. Customer. An individual who becomes a licensee's customer, not later than the

time that the licensee establishes a customer relationship, except as provided in subsection E of this Section; and

2. Consumer. A consumer, before a licensee discloses any nonpublic personal financial information about the consumer to any nonaffiliated third party, if a licensee makes such a disclosure other than as authorized by Sections 402, 403 and 501 of this Act.

B. When initial notice to a consumer is not required. A licensee is not required to provide an initial notice to a consumer under subsection A of this section if:

1. the licensee does not disclose any nonpublic personal financial information about the consumer to any nonaffiliated third party, other than as authorized by Sections 402, 403 and 501 of this Act;

2. the licensee does not have a customer relationship with the consumer; or

3. a notice has been provided by an affiliated licensee, as long as the notice clearly identifies all licensees to whom the notice applies or states that it applies to all affiliates of the named licensee, and is accurate with respect to the licensee and the other institutions.

C. When a licensee establishes a customer relationship.

1. General rule. A licensee establishes a customer relationship at the time the licensee and the consumer enter into a continuing relationship, other than solely as a beneficiary or claimant.

2. A licensee establishes a customer relationship under circumstances including, but

not limited to the following:

(a) when the consumer becomes a policyholder. This occurs when an insurance policy or contract is delivered to the consumer.

(b) when the consumer agrees to obtain financial, insurance, economic, or investment advisory services from the licensee for a fee.

D. Existing customers. When an existing customer obtains a new financial product

or service from a licensee that is to be used primarily for personal, family, or household purposes, a licensee satisfies the initial notice requirements of subsection A of this section as follows:

1. a licensee may provide a revised policy notice, under Section 205 of this Act,

that covers the customer's new financial product or service; or

2. if the initial, revised, or annual notice that a licensee most recently provided to

that customer was accurate with respect to the new financial product or service, a licensee does not need to provide a new privacy notice under subsection A of this section.

E. Exceptions to allow subsequent delivery of notice. A licensee may provide the initial notice required by subsection A.1. of this section within a reasonable time after the licensee establishes a customer relationship if:

1. establishing the customer relationship is not at the customer's election, including but not limited to if the licensee acquires or is assigned the insurance policy or related records from another financial institution or residual market mechanism and the customer does not have a choice about such acquisition or assignment; or

2. providing notice not later than when the licensee establishes the customer relationship would substantially delay the customer's transaction, including but not limited to when the licensee and the individual agree over the telephone to enter into a customer relationship involving prompt delivery of the financial product or service, and the customer agrees to receive the notice at a later time.

F. Joint relationships. If two or more consumers jointly obtain a financial product

or service from a licensee, the licensee may satisfy the requirements of subsection A. of this section by providing one initial notice to those consumers jointly.

G. Delivery. When a licensee is required to deliver an initial privacy notice by this

section, a licensee must deliver it according to Section 206 of this Act. If a licensee uses a short-form initial notice for non-customers according to Section 203.C. of this Act, the licensee may deliver its privacy notice according to Section 203.C.3. of this Act.

Section 202: Annual privacy notice to customers required

A. General rule. A licensee must provide a clear and conspicuous notice to a customer that accurately reflects the licensee's privacy policies and practices not less than annually during the continuation of the customer relationship. Annually means at least once in any period of 12 consecutive months during which that relationship exists. A licensee may define the 12-consecutive-month period, but the licensee must apply it to the customer on a consistent basis.

B. Termination of customer relationship. A licensee is not required to provide an

annual notice to a former customer. A former customer is an individual with whom a licensee no longer has a continuing relationship.

1. A licensee no longer has a continuing relationship with an individual:

(a) if the individual no longer is a current policyholder of an insurance product or no longer obtains insurance services with or through the licensee;

(b) if the individual's policy is lapsed, expired or otherwise inactive or dormant under the licensee's business practices, and the licensee has not communicated with the customer about the relationship for a period of twelve consecutive months, other than to provide annual privacy notices, materials required by law or regulation, or promotional materials;

(c) if the individual's last known address according to the licensee's records is deemed to be invalid. An address of record is deemed invalid if mail sent to that address by the licensee has been returned by the postal authorities as undeliverable and if subsequent attempts by the licensee to obtain a current valid address for the individual have been unsuccessful; or

(d) in the case of providing real estate settlement services, at the time the customer completes execution of all documents related to the real estate closing, payment for those services has been received, or the licensee has completed all of its responsibilities with respect to the settlement, including filing documents on the public record, whichever is later.

C. Delivery. When the licensee is required to deliver an annual privacy notice by this

section, the licensee must deliver it according to Section 206 of this Act.

D. Such annual notice may be provided by an affiliated licensee, as long as the notice clearly identifies all licensees to which the notice applies or states that it applies to all affiliates of the named licensee, and is accurate with respect to the licensee and other institutions.

Section 203: Information to be included in privacy notices

A. General rule. The initial, annual, and revised privacy notices that a licensee

provides under Sections 201, 202 and 205 of this Act must include each of the following items of information that applies to the licensee or to the consumers to whom the licensee sends its privacy notice, in addition to any other information the licensee wishes to provide:

1. the categories of nonpublic personal financial information that the licensee collects;

2. the categories of nonpublic personal financial information that the licensee discloses;

3. the categories of affiliates and nonaffiliated third parties to whom the licensee

discloses nonpublic personal financial information, other than those parties to whom the licensee discloses information under Sections 402 and 403 of this Act;

4. the categories of nonpublic personal financial information about the licensee's former customers that it discloses and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information about its former customers, other than those parties to whom it discloses information under Sections 402 and 403 of this Act;

5. if a licensee discloses nonpublic personal financial information to a nonaffiliated third party under Section 401 of this Act (and no other exception applies to that disclosure), a separate statement of the categories of information the licensee discloses and the categories of third parties with whom the licensee has contracted;

6. an explanation of the right under Section 301 of this Act to opt out of the

disclosure of nonpublic personal financial information to nonaffiliated third parties and under Section 501 of this Act to authorize the disclosure of personally identifiable health information for marketing purposes, including the methods by which the consumer may exercise those rights at that time;

7. any disclosures that the licensee makes under Section 603(d)(2)(A)(iii) of the

Federal Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii))(that is, notices regarding the ability to opt out of disclosures of information among affiliates);

8. the licensee's policies and practices with respect to protecting the confidentiality

and security of nonpublic personal information; and

9. a statement to the effect that the licensee makes disclosures under subsection B.

of this section, if such disclosures are made.

B. Description of nonaffiliated third parties subject to exceptions. If a licensee

discloses nonpublic personal financial information about a consumer to third parties only as authorized under Sections 402 and 403 of this Act, the licensee is not required to list those exceptions in the initial or annual privacy notices required by this Act. When describing the categories with respect to those parties, a licensee is only required to state that it makes disclosures to other nonaffiliated third parties as permitted by law.

C. Short-form initial notice with opt out notice for non-customers.

1. The licensee may satisfy the initial notice requirements of this Act for a consumer

who is not a customer by providing a short form initial notice at the same time as the licensee delivers an opt out notice as required in Section 206 of this Act and, if appropriate, an authorization as required in Section 501 of this Act.

2. A short form initial notice must:

(a) be clear and conspicuous;

(b) state that a licensee's privacy notice is available upon request; and

(c) explain a reasonable means by which the consumer may obtain that notice, including but not limited to providing a toll-free telephone number the consumer may call to request the notice or, for a consumer who conducts business in person in the licensee's office, providing notice to the consumer immediately upon request.

3. The licensee must deliver its short form notice according to Section 206 of this

Act. A licensee is not required to deliver its privacy notice with its short-form initial notice. A licensee may instead simply provide the consumer with a reasonable means to obtain the licensee's privacy notice. If a consumer who receives the licensee's short-form notice requests the licensee's privacy notice, the licensee must deliver its privacy notice according to Section 206 of this Act.

D. Future disclosures. A licensee's notice may include:

1. categories of nonpublic personal financial information that the licensee reserves the right to disclose in the future, but does not currently disclose; and

2. categories of affiliates or nonaffiliated third parties to whom the licensee reserves

the right in the future to disclose, but to whom it does not currently disclose, nonpublic personal financial information.

E. Simplified notices. A licensee that does not disclose, and does not wish to reserve the right to disclose nonpublic personal financial information about customers or former customers to affiliates or nonaffiliated third parties except as authorized under Sections 402 and 403 of this Act, may simply state that fact, in addition to the information it shall provide under Subsections A(1), A(8), A(9) and Subsection B of this section.

Section 204: Form of opt out notice to consumers; opt out methods

A. Form of opt out notice. If a licensee is required to provide an opt out notice under

Section 301 of this Act, the licensee must provide a clear and conspicuous notice to each of its consumers that accurately explains the right to opt out under that section. The notice must state:

1. that the licensee discloses or reserves the right to disclose nonpublic personal financial information about its consumer to a nonaffiliated third party;

2. that the consumer has the right to opt out of that disclosure; and

3. a reasonable means by which the consumer may exercise the opt out right,

provided that the licensee may require the consumer opt out through a specific means, as long as the means is reasonable for that consumer.

(a) Reasonable opt out means. A licensee provides a reasonable means to exercise an opt out right if it:

(i) designates check off boxes in a prominent position on the relevant forms with the opt out notice;

(ii) includes a reply form together with the opt out notice;

(iii) provides an electronic means to opt out, such as a form that can be sent via electronic mail or a process at the licensee's web site, if the consumer agrees to the electronic delivery of information;

(iv) provides a toll-free telephone number that consumers may call to opt out; or

(v) provides the opt out notice together with or on the same written or electronic form as the initial notice the licensee provides in accordance with Section 201 of this Act.

B. Initial notice required when opt out notice delivered subsequent to initial notice.

If a licensee provides the opt out notice later than required for the initial notice in accordance with Section 201.E. of this Act, the licensee must also include a copy of the initial notice in writing or, if the consumer agrees, electronically.

C. Joint relationships.

1. If two or more consumers jointly obtain a financial product or service from a licensee, the licensee may provide a single opt out notice. The licensee's opt out notice must explain how the licensee will treat an opt out direction by a joint consumer (as explained in paragraph C.2. of this subsection).

2. Any of the joint consumers may exercise the right to opt out. The licensee may either:

(a) treat an opt out direction by a joint consumer as applying to all of the associated joint consumers; or

(b) permit each joint consumer to opt out separately.

3. If the licensee permits each joint consumer to opt out separately, the licensee must permit one of the joint consumers to opt out on behalf of all of the joint consumers.

4. A licensee may not require all joint consumers to opt out before the licensee

implements any opt out direction.

D. Time to comply with opt out. A licensee must comply with a consumer's opt out

direction as soon as reasonably practicable after the licensee receives it.

E. Continuing right to opt out. A consumer may exercise the right to opt out at any

time.

F. Duration of consumer's opt out direction.

1. A consumer's direction to opt out under this section is effective until the consumer

revokes it in writing or, if the consumer agrees, electronically.

2. When a customer relationship terminates, the customer's opt out direction

continues to apply to the nonpublic personal financial information the licensee collected during or related to that relationship. If the individual subsequently establishes a new customer relationship with the licensee, the opt out direction that applied to the former relationship does not apply to the new relationship.

G. Delivery. When a licensee is required to deliver an opt out notice by this section,

the licensee must deliver it according to Section 206 of this Act.

Section 205: Revised privacy notices

A. General rule. Except as otherwise authorized in this Act, a licensee shall not,

directly or through any affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party other than as described in the initial notice that the licensee provided to that consumer under Section 201 of this Act, unless:

1. the licensee has provided to the consumer a revised notice that accurately

describes the licensee's policies and practices;

2. the licensee has provided to the consumer a new opt out notice and, if appropriate, an authorization as required in Section ~~401~~ 501 of this Act;

3. the licensee has given the consumer a reasonable opportunity, before the licensee

discloses the information to the nonaffiliated third party, to opt out of or, if appropriate, authorize the disclosure; and

4. the consumer does not opt out or, if appropriate, the consumer authorizes the disclosure.

B. Delivery. When the licensee is required to deliver a revised privacy notice by this

Section, the licensee must deliver it according to Section 206 of this Act.

Section 206: Delivering privacy and opt out notices

A. Provision of notices. A licensee must provide any privacy notices and opt out notices, including short-form initial notices, that this Act requires so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically.

1. The licensee may reasonably expect that a consumer will receive actual notice if the licensee:

(a) hand-delivers a printed copy of the notice to the consumer;

(b) mails a printed copy of the notice to the last known address of the consumer separately, or in a policy, billing or other written communication; and

(c) electronically, clearly and conspicuously posts the notice on the electronic site for the consumer who regularly accesses the licensee's web site to conduct transactions; or

(d) for an isolated transaction with the consumer, such as the licensee providing an insurance quote or selling the consumer travel insurance, posts the notice and requires the consumer to acknowledge receipt of the notice as a necessary step to obtaining the particular financial product or service.

2. A licensee may not reasonably expect that a consumer will receive actual notice of the licensee’s privacy policies and practices if the licensee:

(a) only posts a sign in its branch or office or generally publishes advertisements of its privacy policies and practices; or

(b) sends the notice via electronic mail to a consumer who does not agree to receive the notice electronically or obtain a financial product or service from the licensee electronically.

B. Annual notices only. A licensee may reasonably expect that a customer will

receive actual notice of the licensee’s annual privacy notice if:

1. the customer agrees to receive notices at the web site, and the licensee posts its current privacy notice continuously in a clear and conspicuous manner on the web site; or

2. the customer has requested that the licensee refrain from sending any information regarding the customer relationship, and the licensee’s current privacy notice remains available to the customer upon request.

C. Oral description of notice insufficient. A licensee may not provide any notice required by this Act solely by orally explaining the notice, either in person or over the telephone.

D. Retention or accessibility of notices for customers. For customers only, a licensee must provide the initial notice, the annual notice, and the revised notice required by this Act, so that the customer can retain them or obtain them later in writing or, if the customer agrees, electronically, including, but not limited to hand-delivering a printed copy of the notice to the customer; mailing a printed copy of the notice to the last known address of the customer upon the request of the customer; or making the licensee’s current privacy notice available on a web site (or a link to another web site) for the customer who agrees to receive the notice at the web site.

E. Joint notice with other financial institutions. A licensee may provide a joint notice from the licensee and one or more of the licensee’s affiliates, other licensees or other financial institutions, or on behalf of another financial institution, as long as the notice is accurate with respect to the licensee and the other institutions.

F. Joint relationships. If two or more consumers jointly obtain a financial product or service from a licensee, the licensee may satisfy the initial, annual, and revised notice requirements of Sections 201, 202 and 205 irrespectively, by providing one notice to those consumers jointly.

~~Section 207: Nondiscrimination~~