[Code of Federal Regulations] [Title 16, Volume 1] [Revised as of January 1, 2006] From the U.S. Government Printing Office via GPO Access [CITE: 16CFR313.6] [Page 396-397] TITLE 16--COMMERCIAL PRACTICES CHAPTER I--FEDERAL TRADE COMMISSION PART 313_PRIVACY OF CONSUMER FINANCIAL INFORMATION--Table of Contents Subpart A_Privacy and Opt Out Notices Sec. 313.6 Information to be included in privacy notices. (a) General rule. The initial, annual, and revised privacy notices that you provide under Sec. Sec. 313.4, 313.5, and 313.8 must include each of the following items of information that applies to you or to the consumers to whom you send your privacy notice, in addition to any other information you wish to provide: (1) The categories of nonpublic personal information that you collect; (2) The categories of nonpublic personal information that you disclose; (3) The categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information, other than those parties to whom you disclose information under Sec. Sec. 313.14 and 313.15; (4) The categories of nonpublic personal information about your former customers that you disclose and the categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information about your former customers, other than those parties to whom you disclose information under Sec. Sec. 313.14 and 313.15; (5) If you disclose nonpublic personal information to a nonaffiliated third party under Sec. 313.13 (and no exception under Sec. Sec. 313.14 or 313.15 applies to that disclosure), a separate statement of the categories of information you disclose and the categories of third parties with whom you have contracted; (6) An explanation of the consumer's right under Sec. 313.10(a) to opt out of the disclosure of nonpublic personal information to nonaffiliated third parties, including the method(s) by which the consumer may exercise that right at that time; (7) Any disclosures that you make under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)) (that is, notices regarding the ability to opt out of disclosures of information among affiliates); (8) Your policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; and (9) Any disclosure that you make under paragraph (b) of this section. (b) Description of nonaffiliated third parties subject to exceptions. If you disclose nonpublic personal information to third parties as authorized under Sec. Sec. 313.14 and 313.15, you are not required to list those exceptions in the initial or annual privacy notices required by Sec. Sec. 313.4 and 313.5. When describing the categories with respect to those parties, you are required to state only that you make disclosures to other nonaffiliated third parties as permitted by law. (c) Examples--(1) Categories of nonpublic personal information that you collect. You satisfy the requirement to categorize the nonpublic personal information that you collect if you list the following categories, as applicable: (i) Information from the consumer; (ii) Information about the consumer's transactions with you or your affiliates; (iii) Information about the consumer's transactions with nonaffiliated third parties; and (iv) Information from a consumer reporting agency. (2) Categories of nonpublic personal information you disclose--(i) You satisfy the requirement to categorize the nonpublic personal information that you disclose if you list the categories described in paragraph (e)(1) of this section, as applicable, and a few examples to illustrate the types of information in each category. (ii) If you reserve the right to disclose all of the nonpublic personal information about consumers that you collect, you may simply state that fact without describing the categories or examples of the nonpublic personal information you disclose. (3) Categories of affiliates and nonaffiliated third parties to whom you disclose. You satisfy the requirement to categorize the affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information if you list them using the following categories, as applicable, and a few applicable examples to illustrate [[Page 397]] the significant types of third parties covered in each category. (i) Financial service providers, followed by illustrative examples such as mortgage bankers, securities broker-dealers, and insurance agents. (ii) Non-financial companies, followed by illustrative examples such as retailers, magazine publishers, airlines, and direct marketers; and (iii) Others, followed by examples such as nonprofit organizations. (4) Disclosures under exception for service providers and joint marketers. If you disclose nonpublic personal information under the exception in Sec. 313.13 to a nonaffiliated third party to market products or services that you offer alone or jointly with another financial institution, you satisfy the disclosure requirement of paragraph (a)(5) of this section if you: (i) List the categories of nonpublic personal information you disclose, using the same categories and examples you used to meet the requirements of paragraph (a)(2) of this section, as applicable; and (ii) State whether the third party is: (A) A service provider that performs marketing services on your behalf or on behalf of you and another financial institution; or (B) A financial institution with whom you have a joint marketing agreement. (5) Simplified notices. If you do not disclose, and do not wish to reserve the right to disclose, nonpublic personal information about customers or former customers to affiliates or nonaffiliated third parties except as authorized under Sec. Sec. 313.14 and 313.15, you may simply state that fact, in addition to the information you must provide under paragraphs (a)(1), (a)(8), (a)(9), and (b) of this section. (6) Confidentiality and security. You describe your policies and practices with respect to protecting the confidentiality and security of nonpublic personal information if you do both of the following: (i) Describe in general terms who is authorized to have access to the information; and (ii) State whether you have security practices and procedures in place to ensure the confidentiality of the information in accordance with your policy. You are not required to describe technical information about the safeguards you use. (d) Short-form initial notice with opt out notice for non- customers--(1) You may satisfy the initial notice requirements in Sec. Sec. 313.4(a)(2), 313.7(b), and 313.7(c) for a consumer who is not a customer by providing a short-form initial notice at the same time as you deliver an opt out notice as required in Sec. 313.7. (2) A short-form initial notice must: (i) Be clear and conspicuous; (ii) State that your privacy notice is available upon request; and (iii) Explain a reasonable means by which the consumer may obtain that notice. (3) You must deliver your short-form initial notice according to Sec. 313.9. You are not required to deliver your privacy notice with your short-form initial notice. You instead may simply provide the consumer a reasonable means to obtain your privacy notice. If a consumer who receives your short-form notice requests your privacy notice, you must deliver your privacy notice according to Sec. 313.9. (4) Examples of obtaining privacy notice. You provide a reasonable means by which a consumer may obtain a copy of your privacy notice if you: (i) Provide a toll-free telephone number that the consumer may call to request the notice; or (ii) For a consumer who conducts business in person at your office, maintain copies of the notice on hand that you provide to the consumer immediately upon request. (e) Future disclosures. Your notice may include: (1) Categories of nonpublic personal information that you reserve the right to disclose in the future, but do not currently disclose; and (2) Categories of affiliates or nonaffiliated third parties to whom you reserve the right in the future to disclose, but to whom you do not currently disclose, nonpublic personal information. (f) Sample clauses. Sample clauses illustrating some of the notice content required by this section are included in Appendix A of this part. [[Page 398]]