[Code of Federal Regulations] [Title 12 Volume 1] [Revised as of January 1, 2004] From the U.S. Government Printing Office via GPO Access [CITE: 12CFR40.7] [Page 366-367] TITLE 12--BANKS AND BANKING CHAPTER I--COMPTROLLER OF THE CURRENCY, DEPARTMENT OF THE TREASURY PART 40--PRIVACY OF CONSUMER FINANCIAL INFORMATION--Table of Contents Subpart A--Privacy and Opt Out Notices Sec. 40.7 Form of opt out notice to consumers; opt out methods. (a) (1) Form of opt out notice. If a bank is required to provide an opt out notice under Sec. 40.10(a), it must provide a clear and conspicuous notice to each of its consumers that accurately explains the right to opt out under that section. The notice must state: (i) That the bank discloses or reserves the right to disclose nonpublic personal information about its consumer to a nonaffiliated third party; (ii) That the consumer has the right to opt out of that disclosure; and (iii) A reasonable means by which the consumer may exercise the opt out right. (2) Examples. (i) Adequate opt out notice. A bank provides adequate notice that the consumer can opt out of the disclosure of nonpublic personal information to a nonaffiliated third party if the bank: (A) Identifies all of the categories of nonpublic personal information that it discloses or reserves the right to disclose, and all of the categories of nonaffiliated third parties to which the bank discloses the information, as described in Sec. 40.6(a)(2) and (3), and states that the consumer can opt out of the disclosure of that information; and (B) Identifies the financial products or services that the consumer obtains from the bank, either singly or jointly, to which the opt out direction would apply. (ii) Reasonable opt out means. A bank provides a reasonable means to exercise an opt out right if it: (A) Designates check-off boxes in a prominent position on the relevant forms with the opt out notice; (B) Includes a reply form together with the opt out notice; (C) Provides an electronic means to opt out, such as a form that can be sent via electronic mail or a process at the bank's web site, if the consumer agrees to the electronic delivery of information; or (D) Provides a toll-free telephone number that consumers may call to opt out. (iii) Unreasonable opt out means. A bank does not provide a reasonable means of opting out if: (A) The only means of opting out is for the consumer to write his or her own letter to exercise that opt out right; or (B) The only means of opting out as described in any notice subsequent to the initial notice is to use a check-off box that the bank provided with the initial notice but did not include with the subsequent notice. (iv) Specific opt out means. A bank may require each consumer to opt out through a specific means, as long as that means is reasonable for that consumer. (b) Same form as initial notice permitted. A bank may provide the opt out notice together with or on the same written or electronic form as the initial notice the bank provides in accordance with Sec. 40.4. (c) Initial notice required when opt out notice delivered subsequent to initial notice. If a bank provides the opt out notice later than required for the initial notice in accordance with Sec. 40.4, the bank must also include a copy of the initial notice with the opt out notice in writing or, if the consumer agrees, electronically. (d) Joint relationships. (1) If two or more consumers jointly obtain a financial product or service from a bank, the bank may provide a single opt out notice. The bank's opt out notice must explain how the bank will treat an opt out direction by a joint consumer (as explained in paragraph (d)(5) of this section). [[Page 367]] (2) Any of the joint consumers may exercise the right to opt out. The bank may either: (i) Treat an opt out direction by a joint consumer as applying to all of the associated joint consumers; or (ii) Permit each joint consumer to opt out separately. (3) If a bank permits each joint consumer to opt out separately, the bank must permit one of the joint consumers to opt out on behalf of all of the joint consumers. (4) A bank may not require all joint consumers to opt out before it implements any opt out direction. (5) Example. If John and Mary have a joint checking account with a bank and arranges for the bank to send statements to John's address, the bank may do any of the following, but it must explain in its opt out notice which opt out policy the bank will follow: (i) Send a single opt out notice to John's address, but the bank must accept an opt out direction from either John or Mary. (ii) Treat an opt out direction by either John or Mary as applying to the entire account. If the bank does so and John opts out, the bank may not require Mary to opt out as well before implementing John's opt out direction. (iii) Permit John and Mary to make different opt out directions. If the bank does so: (A) It must permit John and Mary to opt out for each other; (B) If both opt out, the bank must permit both of them to notify it in a single response (such as on a form or through a telephone call); and (C) If John opts out and Mary does not, the bank may only disclose nonpublic personal information about Mary, but not about John and not about John and Mary jointly. (e) Time to comply with opt out. A bank must comply with a consumer's opt out direction as soon as reasonably practicable after the bank receives it. (f) Continuing right to opt out. A consumer may exercise the right to opt out at any time. (g) Duration of consumer's opt out direction. (1) A consumer's direction to opt out under this section is effective until the consumer revokes it in writing or, if the consumer agrees, electronically. (2) When a customer relationship terminates, the customer's opt out direction continues to apply to the nonpublic personal information that the bank collected during or related to that relationship. If the individual subsequently establishes a new customer relationship with the bank, the opt out direction that applied to the former relationship does not apply to the new relationship. (h) Delivery. When a bank is required to deliver an opt out notice by this section, the bank must deliver it according to Sec. 40.9.