[Code of Federal Regulations] [Title 12, Volume 2] [Revised as of January 1, 2003] From the U.S. Government Printing Office via GPO Access [CITE: 12CFR216.18] [Page 452-454] TITLE 12--BANKS AND BANKING CHAPTER II--FEDERAL RESERVE SYSTEM PART 216--PRIVACY OF CONSUMER FINANCIAL INFORMATION (REGULATION P)--Table of Contents Subpart D--Relation to Other Laws; Effective Date Sec. 216.18 Effective date; transition rule. (a) Effective date. This part is effective November 13, 2000. In order to provide sufficient time for you to establish policies and systems to comply with the requirements of this part, the [[Page 453]] Board has extended the time for compliance with this part until July 1, 2001. (b)(1) Notice requirement for consumers who are your customers on the compliance date. By July 1, 2001, you must have provided an initial notice, as required by Sec. 216.4, to consumers who are your customers on July 1, 2001. (2) Example. You provide an initial notice to consumers who are your customers on July 1, 2001, if, by that date, you have established a system for providing an initial notice to all new customers and have mailed the initial notice to all your existing customers. (c) Two-year grandfathering of service agreements. Until July 1, 2002, a contract that you have entered into with a nonaffiliated third party to perform services for you or functions on your behalf satisfies the provisions of Sec. 216.13(a)(1)(ii) of this part, even if the contract does not include a requirement that the third party maintain the confidentiality of nonpublic personal information, as long as you entered into the contract on or before July 1, 2000. Appendix A to Part 216--Sample Clauses Financial institutions, including a group of financial holding company affiliates that use a common privacy notice, may use the following sample clauses, if the clause is accurate for each institution that uses the notice. (Note that disclosure of certain information, such as assets, income, and information from a consumer reporting agency, may give rise to obligations under the Fair Credit Reporting Act, such as a requirement to permit a consumer to opt out of disclosures to affiliates or designation as a consumer reporting agency if disclosures are made to nonaffiliated third parties.) A-1--Categories of information you collect (all institutions) You may use this clause, as applicable, to meet the requirement of Sec. 216.6(a)(1) to describe the categories of nonpublic personal information you collect. Sample Clause A-1: We collect nonpublic personal information about you from the following sources: [sbull] Information we receive from you on applications or other forms; [sbull] Information about your transactions with us, our affiliates, or others; and [sbull] Information we receive from a consumer reporting agency. A-2--Categories of information you disclose (institutions that disclose outside of the exceptions) You may use one of these clauses, as applicable, to meet the requirement of Sec. 216.6(a)(2) to describe the categories of nonpublic personal information you disclose. You may use these clauses if you disclose nonpublic personal information other than as permitted by the exceptions in Secs. 216.13, 216.14, and 216.15. Sample Clause A-2, Alternative 1: We may disclose the following kinds of nonpublic personal information about you: [sbull] Information we receive from you on applications or other forms, such as [provide illustrative examples, such as ``your name, address, social security number, assets, and income'']; [sbull] Information about your transactions with us, our affiliates, or others, such as [provide illustrative examples, such as ``your account balance, payment history, parties to transactions, and credit card usage'']; and [sbull] Information we receive from a consumer reporting agency, such as [provide illustrative examples, such as ``your creditworthiness and credit history'']. Sample Clause A-2, Alternative 2: We may disclose all of the information that we collect, as described [describe location in the notice, such as ``above'' or ``below'']. A-3--Categories of information you disclose and parties to whom you disclose (institutions that do not disclose outside of the exceptions) You may use this clause, as applicable, to meet the requirements of Secs. 216.6(a)(2), (3), and (4) to describe the categories of nonpublic personal information about customers and former customers that you disclose and the categories of affiliates and nonaffiliated third parties to whom you disclose. You may use this clause if you do not disclose nonpublic personal information to any party, other than as permitted by the exceptions in Secs. 216.14, and 216.15. Sample Clause A-3: We do not disclose any nonpublic personal information about our customers or former customers to anyone, except as permitted by law. A-4--Categories of parties to whom you disclose (institutions that disclose outside of the exceptions) You may use this clause, as applicable, to meet the requirement of Sec. 216.6(a)(3) to describe the categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information. You may use this clause if you disclose nonpublic personal information other than as permitted by the exceptions in Secs. 216.13, 216.14, and [[Page 454]] 216.15, as well as when permitted by the exceptions in Secs. 216.14, and 216.15. Sample Clause A-4: We may disclose nonpublic personal information about you to the following types of third parties: [sbull] Financial service providers, such as [provide illustrative examples, such as ``mortgage bankers, securities broker-dealers, and insurance agents'']; [sbull] Non-financial companies, such as [provide illustrative examples, such as ``retailers, direct marketers, airlines, and publishers'']; and [sbull] Others, such as [provide illustrative examples, such as ``non-profit organizations'']. We may also disclose nonpublic personal information about you to nonaffiliated third parties as permitted by law. A-5--Service provider/joint marketing exception You may use one of these clauses, as applicable, to meet the requirements of Sec. 216.6(a)(5) related to the exception for service providers and joint marketers in Sec. 216.13. If you disclose nonpublic personal information under this exception, you must describe the categories of nonpublic personal information you disclose and the categories of third parties with whom you have contracted. Sample Clause A-5, Alternative 1: We may disclose the following information to companies that perform marketing services on our behalf or to other financial institutions with whom we have joint marketing agreements: [sbull] Information we receive from you on applications or other forms, such as [provide illustrative examples, such as ``your name, address, social security number, assets, and income'']; [sbull] Information about your transactions with us, our affiliates, or others, such as [provide illustrative examples, such as ``your account balance, payment history, parties to transactions, and credit card usage'']; and [sbull] Information we receive from a consumer reporting agency, such as [provide illustrative examples, such as ``your creditworthiness and credit history'']. Sample Clause A-5, Alternative 2: We may disclose all of the information we collect, as described [describe location in the notice, such as ``above'' or ``below''] to companies that perform marketing services on our behalf or to other financial institutions with whom we have joint marketing agreements. A-6--Explanation of opt out right (institutions that disclose outside of the exceptions) You may use this clause, as applicable, to meet the requirement of Sec. 216.6(a)(6) to provide an explanation of the consumer's right to opt out of the disclosure of nonpublic personal information to nonaffiliated third parties, including the method(s) by which the consumer may exercise that right. You may use this clause if you disclose nonpublic personal information other than as permitted by the exceptions in Secs. 216.13, 216.14, and 216.15. Sample Clause A-6: If you prefer that we not disclose nonpublic personal information about you to nonaffiliated third parties, you may opt out of those disclosures, that is, you may direct us not to make those disclosures (other than disclosures permitted by law). If you wish to opt out of disclosures to nonaffiliated third parties, you may [describe a reasonable means of opting out, such as ``call the following toll-free number: (insert number)'']. A-7--Confidentiality and security (all institutions) You may use this clause, as applicable, to meet the requirement of Sec. 216.6(a)(8) to describe your policies and practices with respect to protecting the confidentiality and security of nonpublic personal information. Sample Clause A-7: We restrict access to nonpublic personal information about you to [provide an appropriate description, such as ``those employees who need to know that information to provide products or services to you'']. We maintain physical, electronic, and procedural safeguards that comply with federal standards to guard your nonpublic personal information.