Privacy and Opt Out Notices
248.4 — Initial privacy notice to consumers required.
(a) Initial notice requirement.
You must provide a clear and conspicuous notice
that accurately reflects your privacy policies and
practices to:
(1) Customer. An individual who
becomes your customer, not later than when you
establish a customer relationship, except as
provided in paragraph (e) of this section; and
(2) Consumer. A consumer,
before you disclose any nonpublic personal
information about the consumer to any
nonaffiliated third party, if you make such a
disclosure other than as authorized by §§ 248.14
and 248.15.
(b) When initial notice to a
consumer is not required. You are not required
to provide an initial notice to a consumer under
paragraph (a) of this section if:
(1) You do not disclose any nonpublic
personal information about the consumer to any
nonaffiliated third party, other than as
authorized by §§ 248.14 and 248.15; and
(2) You do not have a customer
relationship with the consumer.
(c) When you establish a customer
relationship — (1) General rule. You
establish a customer relationship when you and the
consumer enter into a continuing relationship.
(2) Special rule for loans. You
do not have a customer relationship with a
consumer if you buy a loan made to the consumer
but do not have the servicing rights for that
loan.
(3) Examples of establishing
customer relationship. You establish a
customer relationship when the consumer:
(i) Effects a securities transaction
with you or opens a brokerage account with you
under your procedures;
(ii) Opens a brokerage account with an
introducing broker or dealer that clears
transactions with and for its customers through
you on a fully disclosed basis;
(iii) Enters into an advisory contract
with you (whether in writing or orally); or
(iv) Purchases shares you have issued
(and the consumer is the record owner of the
shares), if you are an investment company.
(d) Existing customers. When an
existing customer obtains a new financial product
or service from you that is to be used primarily
for personal, family, or household purposes, you
satisfy the initial notice requirements of
paragraph (a) of this section as follows:
(1) You may provide a revised privacy
notice, under § 248.8, that covers the customer's
new financial product or service; or
(2) If the initial, revised, or annual
notice that you most recently provided to that
customer was accurate with respect to the new
financial product or service, you do not need to
provide a new privacy notice under paragraph (a)
of this section.
(e) Exceptions to allow subsequent
delivery of notice. (1) You may provide the
initial notice required by paragraph (a)(1) of
this section within a reasonable time after you
establish a customer relationship if:
(i) Establishing the customer
relationship is not at the customer's
election;
(ii) Providing notice not later than
when you establish a customer relationship would
substantially delay the customer's transaction and
the customer agrees to receive the notice at a
later time; or
(iii) A nonaffiliated broker or dealer
or investment adviser establishes a customer
relationship between you and a consumer without
your prior knowledge.
(2) Examples of exceptions —
(i) Not at customer's election.
Establishing a customer relationship is not at the
customer's election if the customer's account is
transferred to you by a trustee selected by the
Securities Investor Protection Corporation
(“SIPC”) and appointed by a United States
Court.
(ii) Substantial delay of
customer's transaction. Providing notice not
later than when you establish a customer
relationship would substantially delay the
customer's transaction when you and the individual
agree over the telephone to enter into a customer
relationship involving prompt delivery of the
financial product or service.
(iii) No substantial delay of
customer's transaction. Providing notice not
later than when you establish a customer
relationship would not substantially delay the
customer's transaction when the relationship is
initiated in person at your office or through
other means by which the customer may view the
notice, such as on a web site.
(f) Delivery. When you are
required to deliver an initial privacy notice by
this section, you must deliver it according to §
248.9. If you use a short-form initial notice for
non-customers according to § 248.6(d), you may
deliver your privacy notice according to §
248.6(d)(3).
248.5 — Annual privacy notice to customers required.
(a)(1) General rule. Except as
provided by paragraph (e) of this section, you
must provide a clear and conspicuous notice to
customers that accurately reflects your privacy
policies and practices not less than annually
during the continuation of the customer
relationship. Annually means at least once
in any period of 12 consecutive months during
which that relationship exists. You may define the
12-consecutive-month period, but you must apply it
to the customer on a consistent basis.
(2) Example. You provide a
notice annually if you define the
12-consecutive-month period as a calendar year and
provide the annual notice to the customer once in
each calendar year following the calendar year in
which you provided the initial notice. For
example, if a customer opens an account on any day
of year 1, you must provide an annual notice to
that customer by December 31 of year 2.
(b)(1) Termination of customer
relationship. You are not required to provide
an annual notice to a former customer.
(2) Examples. Your customer
becomes a former customer when:
(i) The individual's brokerage account
is closed;
(ii) The individual's investment
advisory contract is terminated;
(iii) You are an investment company
and the individual is no longer the record owner
of securities you have issued; or
(iv) You are an investment company and
your customer has been determined to be a lost
securityholder as defined in 17 CFR
240.17a-24(b).
(c) Special rule for loans. If
you do not have a customer relationship with a
consumer under the special provision for loans in
§ 248.4(c)(2), then you need not provide an annual
notice to that consumer under this section.
(d) Delivery. When you are
required to deliver an annual privacy notice by
this section, you must deliver it according to §
248.9.
(e) Exception to annual privacy
notice requirement — (1) When exception
available. You are not required to deliver an annual
privacy notice if you:
(i) Provide nonpublic personal information to
nonaffiliated third parties only in accordance
with § 248.13, § 248.14, or § 248.15; and
(ii) Have not changed your policies and practices with
regard to disclosing nonpublic personal
information from the policies and practices that
were disclosed to the customer under § 248.6(a)(2)
through (5) and (9) in the most recent privacy
notice provided pursuant to this part.
(2) Delivery of annual privacy notice after
financial institution no longer meets the
requirements for exception. If you have been
excepted from delivering an annual privacy notice
pursuant to paragraph (e)(1) of this section and
change your policies or practices in such a way
that you no longer meet the requirements for that
exception, you must comply with paragraph
(e)(2)(i) or (ii) of this section, as
applicable.
(i) Changes preceded by a revised privacy
notice. If you no longer meet the requirements
of paragraph (e)(1) of this section because you
change your policies or practices in such a way
that § 248.8 requires you to provide a revised
privacy notice, you must provide an annual privacy
notice in accordance with the timing requirement
in paragraph (a) of this section, treating the
revised privacy notice as an initial privacy
notice.
(ii) Changes not preceded by a revised privacy
notice. If you no longer meet the requirements
of paragraph (e)(1) of this section because you
change your policies or practices in such a way
that § 248.8 does not require you to provide a
revised privacy notice, you must provide an annual
privacy notice within 100 days of the change in
your policies or practices that causes you to no
longer meet the requirement of paragraph (e)(1) of
this section.
(iii) Examples. (A) You change your policies and
practices in such a way that you no longer meet
the requirements of paragraph (e)(1) of this
section effective April 1 of year 1. Assuming you
define the 12-consecutive-month period pursuant to
paragraph (a) of this section as a calendar year,
if you were required to provide a revised privacy
notice under § 248.8 and you provided that notice
on March 1 of year 1, you must provide an annual
privacy notice by December 31 of year 2. If you
were not required to provide a revised privacy
notice under § 248.8, you must provide an annual
privacy notice by July 9 of year 1.
(B) You change your policies and practices in such a
way that you no longer meet the requirements of
paragraph (e)(1) of this section, and so provide
an annual notice to your customers. After
providing the annual notice to your customers, you
once again meet the requirements of paragraph
(e)(1) of this section for an exception to the
annual notice requirement. You do not need to
provide additional annual notice to your customers
until such time as you no longer meet the
requirements of paragraph (e)(1) of this
section.
[89 FR 47688, June 3,
2024]
248.6 — Information to be included in privacy notices.
(a) General rule. The initial,
annual, and revised privacy notices that you
provide under §§ 248.4, 248.5, and 248.8 must
include each of the following items of information
that applies to you or to the consumers to whom
you send your privacy notice, in addition to any
other information you wish to provide:
(1) The categories of nonpublic
personal information that you collect;
(2) The categories of nonpublic
personal information that you disclose;
(3) The categories of affiliates and
nonaffiliated third parties to whom you disclose
nonpublic personal information, other than those
parties to whom you disclose information under §§
248.14 and 248.15;
(4) The categories of nonpublic
personal information about your former customers
that you disclose and the categories of affiliates
and nonaffiliated third parties to whom you
disclose nonpublic personal information about your
former customers, other than those parties to whom
you disclose information under §§ 248.14 and
248.15;
(5) If you disclose nonpublic personal
information to a nonaffiliated third party under §
248.13 (and no other exception applies to that
disclosure), a separate statement of the
categories of information you disclose and the
categories of third parties with whom you have
contracted;
(6) An explanation of the consumer's
right under § 248.10(a) to opt out of the
disclosure of nonpublic personal information to
nonaffiliated third parties, including the
method(s) by which the consumer may exercise that
right at that time;
(7) Any disclosures that you make
under section 603(d)(2)(A)(iii) of the Fair Credit
Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii))
(that is, notices regarding the ability to opt out
of disclosures of information among
affiliates);
(8) Your policies and practices with
respect to protecting the confidentiality and
security of nonpublic personal information;
and
(9) Any disclosure that you make under
paragraph (b) of this section.
(b) Description of nonaffiliated
third parties subject to exceptions. If you
disclose nonpublic personal information to third
parties as authorized under §§ 248.14 and 248.15,
you are not required to list those exceptions in
the initial or annual privacy notices required by
§§ 248.4 and 248.5. When describing the categories
with respect to those parties, it is sufficient to
state that you make disclosures to other
nonaffiliated companies:
(1) For your everyday business
purposes such as [include all that apply]
to process transactions, maintain account(s),
respond to court orders and legal investigations,
or report to credit bureaus; or
(2) As permitted by law.
(c) Examples — (1)
Categories of nonpublic personal information
that you collect. You satisfy the requirement
to categorize the nonpublic personal information
that you collect if you list the following
categories, as applicable:
(i) Information from the consumer;
(ii) Information about the consumer's
transactions with you or your affiliates;
(iii) Information about the consumer's
transactions with nonaffiliated third parties;
and
(iv) Information from a
consumer-reporting agency.
(2) Categories of nonpublic
personal information you disclose. (i) You
satisfy the requirement to categorize the
nonpublic personal information that you disclose
if you list the categories described in paragraph
(e)(1) of this section, as applicable, and a few
examples to illustrate the types of information in
each category.
(ii) If you reserve the right to
disclose all of the nonpublic personal information
about consumers that you collect, you may simply
state that fact without describing the categories
or examples of the nonpublic personal information
you disclose.
(3) Categories of affiliates and
nonaffiliated third parties to whom you
disclose. You satisfy the requirement to
categorize the affiliates and nonaffiliated third
parties to whom you disclose nonpublic personal
information if you list the following categories,
as applicable, and a few examples to illustrate
the types of third parties in each category:
(i) Financial service providers;
(ii) Non-financial companies; and
(iii) Others.
(4) Disclosures under exception for
service providers and joint marketers. If you
disclose nonpublic personal information under the
exception in § 248.13 to a nonaffiliated third
party to market products or services that you
offer alone or jointly with another financial
institution, you satisfy the disclosure
requirement of paragraph (a)(5) of this section if
you:
(i) List the categories of nonpublic
personal information you disclose, using the same
categories and examples you used to meet the
requirements of paragraph (a)(2) of this section,
as applicable; and
(ii) State whether the third party
is:
(A) A service provider that performs
marketing services on your behalf or on behalf of
you and another financial institution; or
(B) A financial institution with which
you have a joint marketing agreement.
(5) Simplified notices. If you
do not disclose, and do not wish to reserve the
right to disclose, nonpublic personal information
to affiliates or nonaffiliated third parties
except as authorized under §§ 248.14 and 248.15,
you may simply state that fact, in addition to the
information you must provide under paragraphs
(a)(1), (a)(8), (a)(9), and (b) of this
section.
(6) Confidentiality and
security. You describe your policies and
practices with respect to protecting the
confidentiality and security of nonpublic personal
information if you do both of the following:
(i) Describe in general terms who is
authorized to have access to the information;
and
(ii) State whether you have security
practices and procedures in place to ensure the
confidentiality of the information in accordance
with your policy. You are not required to describe
technical information about the safeguards you
use.
(d) Short-form initial notice with
opt out notice for non-customers. (1) You may
satisfy the initial notice requirements in §§
248.4(a)(2), 248.7(b), and 248.7(c) for a consumer
who is not a customer by providing a short-form
initial notice at the same time as you deliver an
opt out notice as required in § 248.7.
(2) A short-form initial notice
must:
(i) Be clear and conspicuous;
(ii) State that your privacy notice is
available upon request; and
(iii) Explain a reasonable means by
which the consumer may obtain the privacy
notice.
(3) You must deliver your short-form
initial notice according to § 248.9. You are not
required to deliver your privacy notice with your
short-form initial notice. You instead may simply
provide the consumer a reasonable means to obtain
your privacy notice. If a consumer who receives
your short-form notice requests your privacy
notice, you must deliver your privacy notice
according to § 248.9.
(4) Examples of obtaining privacy
notice. You provide a reasonable means by
which a consumer may obtain a copy of your privacy
notice if you:
(i) Provide a toll-free telephone
number that the consumer may call to request the
notice; or
(ii) For a consumer who conducts
business in person at your office, maintain copies
of the notice on hand that you provide to the
consumer immediately upon request.
(e) Future disclosures. Your
notice may include:
(1) Categories of nonpublic personal
information that you reserve the right to disclose
in the future, but do not currently disclose;
and
(2) Categories of affiliates or
nonaffiliated third parties to whom you reserve
the right in the future to disclose, but to whom
you do not currently disclose, nonpublic personal
information.
(f) Model privacy form.
Pursuant to § 248.2(a) and appendix A to subpart A
of this part, Form S-P meets the notice content
requirements of this section.
[65 FR 40362,
June 29, 2000, as amended at 74 FR 62985, Dec. 1,
2009]
248.7 — Form of opt out notice to consumers; opt out methods.
(a)(1) Form of opt out notice.
If you are required to provide an opt out notice
under § 248.10(a), you must provide a clear and
conspicuous notice to each of your consumers that
accurately explains the right to opt out under
that section. The notice must state:
(i) That you disclose or reserve the
right to disclose nonpublic personal information
about your consumer to a nonaffiliated third
party;
(ii) That the consumer has the right
to opt out of that disclosure; and
(iii) A reasonable means by which the
consumer may exercise the opt out right.
(2) Examples — (i) Adequate
opt out notice. You provide adequate notice
that the consumer can opt out of the disclosure of
nonpublic personal information to a nonaffiliated
third party if you:
(A) Identify all of the categories of
nonpublic personal information that you disclose
or reserve the right to disclose, and all of the
categories of nonaffiliated third parties to which
you disclose the information, as described in §
248.6(a)(2) and (3) and state that the consumer
can opt out of the disclosure of that information;
and
(B) Identify the financial products or
services that the consumer obtains from you,
either singly or jointly, to which the opt out
direction would apply.
(ii) Reasonable opt out means.
You provide a reasonable means to exercise an opt
out right if you:
(A) Designate check-off boxes in a
prominent position on the relevant forms with the
opt out notice;
(B) Include a reply form together with
the opt out notice;
(C) Provide an electronic means to opt
out, such as a form that can be sent via
electronic mail or a process at your web site, if
the consumer agrees to the electronic delivery of
information; or
(D) Provide a toll-free telephone
number that consumers may call to opt out.
(iii) Unreasonable opt out
means. You do not provide a reasonable
means of opting out if:
(A) The only means of opting out is
for the consumer to write his or her own letter to
exercise that opt out right; or
(B) The only means of opting out as
described in any notice subsequent to the initial
notice is to use a check-off box that you provided
with the initial notice but did not include with
the subsequent notice.
(iv) Specific opt out means.
You may require each consumer to opt out through a
specific means, as long as that means is
reasonable for that consumer.
(b) Same form as initial notice
permitted. You may provide the opt out notice
together with or on the same written or electronic
form as the initial notice you provide in
accordance with § 248.4.
(c) Initial notice required when
opt out notice delivered subsequent to initial
notice. If you provide the opt out notice
after the initial notice in accordance with §
248.4, you must also include a copy of the initial
notice with the opt out notice in writing or, if
the consumer agrees, electronically.
(d) Joint relationships. (1) If
two or more consumers jointly obtain a financial
product or service from you, you may provide a
single opt out notice. Your opt out notice must
explain how you will treat an opt out direction by
a joint consumer.
(2) Any of the joint consumers may
exercise the right to opt out. You may either:
(i) Treat an opt out direction by a
joint consumer as applying to all of the
associated joint consumers; or
(ii) Permit each joint consumer to opt
out separately.
(3) If you permit each joint consumer
to opt out separately, you must permit one of the
joint consumers to opt out on behalf of all of the
joint consumers.
(4) You may not require all
joint consumers to opt out before you implement
any opt out direction.
(5) Example. If John and Mary
have a joint brokerage account with you and
arrange for you to send statements to John's
address, you may do any of the following, but you
must explain in your opt out notice which opt out
policy you will follow:
(i) Send a single opt out notice to
John's address, but you must accept an opt out
direction from either John or Mary;
(ii) Treat an opt out direction by
either John or Mary as applying to the entire
account. If you do so, and John opts out, you may
not require Mary to opt out as well before
implementing John's opt out direction; or
(iii) Permit John and Mary to make
different opt out directions. If you do so:
(A) You must permit John and Mary to
opt out for each other.
(B) If both opt out, you must permit
both to notify you in a single response (such as
on a form or through a telephone call).
(C) If John opts out and Mary does
not, you may only disclose nonpublic personal
information about Mary, but not about John and not
about John and Mary jointly.
(e) Time to comply with opt
out. You must comply with a consumer's opt out
direction as soon as reasonably practicable after
you receive it.
(f) Continuing right to opt
out. A consumer may exercise the right to opt
out at any time.
(g) Duration of consumer's opt out
direction. (1) A consumer's direction to opt
out under this section is effective until the
consumer revokes it in writing or, if the consumer
agrees, electronically.
(2) When a customer relationship
terminates, the customer's opt out direction
continues to apply to the nonpublic personal
information that you collected during or related
to that relationship. If the individual
subsequently establishes a new customer
relationship with you, the opt out direction that
applied to the former relationship does not apply
to the new relationship.
(h) Delivery. When you are
required to deliver an opt out notice by this
section, you must deliver it according to §
248.9.
(i) Model privacy form.
Pursuant to § 248.2(a) and appendix A to subpart A
of this part, Form S-P meets the notice content
requirements of this section.
[65 FR 40362,
June 29, 2000, as amended at 74 FR 62985, Dec. 1,
2009]
248.8 — Revised privacy notices.
(a) General rule. Except as
otherwise authorized in this subpart, you must
not, directly or through any affiliate, disclose
any nonpublic personal information about a
consumer to a nonaffiliated third party other than
as described in the initial notice that you
provided to that consumer under § 248.4,
unless:
(1) You have provided to the consumer
a clear and conspicuous revised notice that
accurately describes your policies and
practices;
(2) You have provided to the consumer
a new opt out notice;
(3) You have given the consumer a
reasonable opportunity, before you disclose the
information to the nonaffiliated third party, to
opt out of the disclosure; and
(4) The consumer does not opt out.
(b) Examples. (1) Except as
otherwise permitted by §§ 248.13, 248.14, and
248.15, you must provide a revised notice before
you:
(i) Disclose a new category of
nonpublic personal information to any
nonaffiliated third party;
(ii) Disclose nonpublic personal
information to a new category of nonaffiliated
third party; or
(iii) Disclose nonpublic personal
information about a former customer to a
nonaffiliated third party, if that former customer
has not had the opportunity to exercise an opt out
right regarding that disclosure.
(2) A revised notice is not required
if you disclose nonpublic personal information to
a new nonaffiliated third party that you
adequately described in your prior notice.
(c) Delivery. When you are
required to deliver a revised privacy notice by
this section, you must deliver it according to §
248.9.
248.9 — Delivering privacy and opt out notices.
(a) How to provide notices. You
must provide any privacy notices and opt out
notices, including short-form initial notices that
this subpart requires so that each consumer can
reasonably be expected to receive actual notice in
writing or, if the consumer agrees,
electronically.
(b)(1) Examples of reasonable
expectation of actual notice. You may
reasonably expect that a consumer will receive
actual notice if you:
(i) Hand-deliver a printed copy of the
notice to the consumer;
(ii) Mail a printed copy of the notice
to the last known address of the consumer;
(iii) For the consumer who conducts
transactions electronically, post the notice on
the electronic site and require the consumer to
acknowledge receipt of the notice as a necessary
step to obtaining a particular financial product
or service; or
(iv) For an isolated transaction with
the consumer, such as an ATM transaction, post the
notice on the ATM screen and require the consumer
to acknowledge receipt of the notice as a
necessary step to obtaining the particular
financial product or service.
(2) Examples of unreasonable
expectation of actual notice. You may not,
however, reasonably expect that a consumer will
receive actual notice of your privacy policies and
practices if you:
(i) Only post a sign in your branch or
office or generally publish advertisements of your
privacy policies and practices; or
(ii) Send the notice via electronic
mail to a consumer who does not obtain a financial
product or service from you electronically.
(c) Annual notices only. (1)
You may reasonably expect that a customer will
receive actual notice of your annual privacy
notice if:
(i) The customer uses your web site to
access financial products and services
electronically and agrees to receive notices at
the web site and you post your current privacy
notice continuously in a clear and conspicuous
manner on the web site; or
(ii) The customer has requested that
you refrain from sending any information regarding
the customer relationship, and your current
privacy notice remains available to the customer
upon request.
(2) Example of reasonable
expectation of receipt of annual privacy
notice. You may reasonably expect that
consumers who share an address will receive actual
notice of your annual privacy notice if you
deliver the notice with or in a stockholder or
shareholder report under the conditions in 17 CFR
270.30d-1(f) or 17 CFR 270.30d-2(b), or with or in
a prospectus under the conditions in 17 CFR
230.154.
(d) Oral description of notice
insufficient. You may not provide any notice
required by this subpart solely by orally
explaining the notice, either in person or over
the telephone.
(e) Retention or accessibility of
notices for customers. (1) For customers only,
you must provide the initial notice required by §
248.4(a)(1), the annual notice required by §
248.5(a), and the revised notice required by §
248.8, so that the customer can retain them or
obtain them later in writing or, if the customer
agrees, electronically.
(2) Examples of retention or
accessibility. You provide a privacy notice to
the customer so that the customer can retain it or
obtain it later if you:
(i) Hand-deliver a printed copy of the
notice to the customer;
(ii) Mail a printed copy of the notice
to the last known address of the customer; or
(iii) Make your current privacy notice
available on a web site (or a link to another web
site) for the customer who obtains a financial
product or service electronically and agrees to
receive the notice at the web site.
(f) Joint notice with other
financial institutions. You may provide a
joint notice from you and one or more of your
affiliates or other financial institutions, as
identified in the notice, as long as the notice is
accurate with respect to you and the other
institutions.
(g) Joint relationships. If two
or more consumers jointly obtain a financial
product or service from you, you may satisfy the
initial, annual, and revised notice requirements
of paragraph (a) of this section by providing one
notice to those consumers jointly.