[Code of Federal Regulations] [Title 12 Volume 1] [Revised as of January 1, 2004] From the U.S. Government Printing Office via GPO Access [CITE: 12CFR40.8] [Page 367-368] TITLE 12--BANKS AND BANKING CHAPTER I--COMPTROLLER OF THE CURRENCY, DEPARTMENT OF THE TREASURY PART 40--PRIVACY OF CONSUMER FINANCIAL INFORMATION--Table of Contents Subpart A--Privacy and Opt Out Notices Sec. 40.8 Revised privacy notices. (a) General rule. Except as otherwise authorized in this part, a bank must not, directly or through any affiliate, disclose any nonpublic personal information about a consumer to a nonaffiliated third party other than as described in the initial notice that the bank provided to that consumer under Sec. 40.4, unless: (1) The bank has provided to the consumer a clear and conspicuous revised notice that accurately describes its policies and practices; (2) The bank has provided to the consumer a new opt out notice; (3) The bank has given the consumer a reasonable opportunity, before the bank discloses the information to the nonaffiliated third party, to opt out of the disclosure; and (4) The consumer does not opt out. (b) Examples. (1) Except as otherwise permitted by Sec. Sec. 40.13, 40.14, and 40.15, a bank must provide a revised notice before it: (i) Discloses a new category of nonpublic personal information to any nonaffiliated third party; (ii) Discloses nonpublic personal information to a new category of nonaffiliated third party; or (iii) Disclose nonpublic personal information about a former customer to a nonaffiliated third party, if that former customer has not had the opportunity to exercise an opt out right regarding that disclosure. (2) A revised notice is not required if the bank discloses nonpublic personal information to a new nonaffiliated [[Page 368]] third party that the bank adequately described in its prior notice. (c) Delivery. When a bank is required to deliver a revised privacy notice by this section, the bank must deliver it according to Sec. 40.9.