(a) How to provide
notices. You must provide any privacy notices and opt-out notices,
including short-form initial notices, that this part requires so that
each consumer can reasonably be expected to receive actual notice
in writing or, if the consumer agrees, electronically.
(b) (1) Examples of reasonable expectation of actual notice. You may
reasonably expect that a consumer will receive actual notice if you:
(i) Hand-deliver a
printed copy of the notice to the consumer;
(ii) Mail a printed copy of the notice
to the last known address of the consumer;
(iii) For the consumer who conducts
transactions electronically:
(A) In the case of financial institutions
other than those described in section 1016.3(l)(3) of this
part, post the notice on the electronic site and require the consumer
to acknowledge receipt of the notice as a necessary step to obtaining
a particular financial product or service; or
(B) In the case of financial institutions
described in section 1016.3(l)(3), clearly and conspicuously
post the notice on the electronic site and require the consumer to
acknowledge receipt of the notice as a necessary step to obtaining
a particular financial product or service;
(iv) For an isolated transaction with
the consumer, such as an ATM transaction, post the notice on the ATM
screen and require the consumer to acknowledge receipt of the notice
as a necessary step to obtaining the particular financial product
or service.
(2) Examples of unreasonable expectation of actual
notice. You may not, however, reasonably expect that a consumer
will receive actual notice of your privacy policies and practices
if you:
(i) Only
post a sign in your branch or office or generally publish advertisements
of your privacy policies and practices; or
(ii) Send the notice via electronic
mail to a consumer who does not obtain a financial product or service
from you electronically.
6-7290
(c) Annual notices only. You may reasonably
expect that a customer will receive actual notice of your annual privacy
notice if:
(1) The customer
uses your website to access financial products and services electronically
and agrees to receive notices at the website, and you post your current
privacy notice continuously in a clear and conspicuous manner on the
website; or
(2) The customer has
requested that you refrain from sending any information regarding
the customer relationship, and your current privacy notice remains
available to the customer upon request.
(d) Oral description of notice insufficient. You may not provide any notice required by this part solely by orally
explaining the notice, either in person or over the telephone.
(e) Retention or accessibility of notices
for customers.
(1)
For customers only, you must provide the initial notice required by
section 1016.4(a)(1), the annual notice required by section 1016.5(a),
and the revised notice required by section 1016.8 so that the customer
can retain them or obtain them later in writing or, if the customer
agrees, electronically.
(2) Examples of retention or accessibility. You provide a privacy notice to the customer so that the customer
can retain it or obtain it later if you:
(i) Hand-deliver a printed copy of the
notice to the customer;
(ii)
Mail a printed copy of the notice to the last known address of the
customer, or, in the case of credit unions, mail a printed copy of
the notice to the last known address of the customer upon request
of the customer; or
(iii) Make
your current privacy notice available on a Web site (or a link to
another Web site) for the customer who obtains a financial product
or service electronically and agrees to receive the notice at the
Web site.
6-7291
(f) Joint notice with other financial institutions. You may provide
a joint notice from you and one or more of your affiliates or other
financial institutions, as identified in the notice, as long as the
notice is accurate with respect to you and the other institutions.
(g) Joint relationships in the case
of financial institutions other than credit unions and covered entities
subject to FTC enforcement jurisdiction. For purposes of this
paragraph (g), “you” is limited to financial institutions other than
credit unions and the financial institutions described in section
1016.3(l)(3). If two or more consumers jointly obtain a financial
product or service from you, you may satisfy the initial, annual,
and revised notice requirements of sections 1016.4(a), 1016.5(a),
and 1016.8(a), respectively, by providing one notice to those consumers
jointly.
(h) Joint relationships
in the case of covered entities subject to FTC enforcement jurisdiction. For purposes of this paragraph (h), “you” is limited to the financial
institutions described in section 1016.3(l)(3). If two or more
consumers jointly obtain a financial product or service from you,
you may satisfy the initial, annual, and revised notice requirements
of sections 1016.4(a), 1016.5(a), and 1016.8(a) by providing one notice
to those consumers jointly, unless one or more of those consumers
requests separate notices.
(i) Joint
relationships in the case of credit unions.
(1) If two or more consumers jointly obtain
a financial product or service, other than a loan, from a credit union,
the credit union may satisfy the requirements of section 1016.4(a)
by providing one initial notice to those consumers jointly.
(2) Special rule for loans in the case
of credit unions.
(i) A credit union is required to provide
an initial notice to a borrower or guarantor on a loan if the credit
union shares his or her nonpublic personal information with nonaffiliated
third parties other than for purposes under sections 1016.13, 1016.14,
and 1016.15.
(ii) A credit union
may satisfy the annual notice requirements of section 1016.5 by providing
one notice to those borrowers and guarantors jointly.
