(a) (1) General rule. Except as provided by paragraph
(e) of this section, you must provide a clear and conspicuous notice
to customers that accurately reflects your privacy policies and practices
not less than annually during the continuation of the customer relationship.
Annually means at least once in any period of 12 consecutive months
during which that relationship exists. You may define the 12-consecutive-month
period, but you must apply it to the customer on a consistent basis.
(2) Example. You provide a notice annually
if you define the 12-consecutive-month period as a calendar year and
provide the annual notice to the customer once in each calendar year
following the calendar year in which you provided the initial notice.
For example, if a customer opens an account on any day of year 1,
you must provide an annual notice to that customer by December 31
of year 2.
(b) (1) Termination of customer relationship. You
are not required to provide an annual notice to a former customer.
(2) Examples
in the case of financial institutions other than credit unions and
covered entities subject to FTC enforcement jurisdiction. For purposes
of this paragraph (b)(2), “you” is limited to financial institutions
other than credit unions and financial institutions described in section
1016.3(l)(3). Your customer becomes a former customer when:
(i) In the case of
a deposit account, the account is inactive under your policies;
(ii) In the case of a closed-end
loan, the customer pays the loan in full, you charge off the loan,
or you sell the loan without retaining servicing rights;
(iii) In the case of a credit card relationship
or other open-end credit relationship, you no longer provide any statements
or notices to the customer concerning that relationship or you sell
the credit card receivables without retaining servicing rights; or
(iv) You have not communicated
with the customer about the relationship for a period of 12 consecutive
months, other than to provide annual privacy notices or promotional
material.
(3) Examples in the case of covered entities subject
to FTC enforcement jurisdiction. For purposes of this paragraph
(b)(3), “you” is limited to financial institutions described in section
1016.3(l)(3) of this part. Your customer becomes a former customer
when:
(i) In the
case of a closed-end loan, the customer pays the loan in full, you
charge off the loan, or you sell the loan without retaining servicing
rights;
(ii) In the case of a
credit card relationship or other open-end credit relationship, you
sell the receivables without retaining servicing rights;
(iii) In the case of credit counseling
services, the customer has failed to make required payments under
a debt management plan, has been notified that the plan is terminated,
and you no longer provide any statements or notices to the customer
concerning that relationship;
(iv) In the case of mortgage or vehicle loan brokering services,
your customer has obtained a loan through you (and you no longer provide
any statements or notices to the customer concerning that relationship),
or has ceased using your services for such purposes;
(v) In the case of tax preparation services,
you have provided and received payment for the service and no longer
provide any statements or notices to the customer concerning that
relationship;
(vi) In the case
of providing real estate settlement services, at the time the customer
completes execution of all documents related to the real estate closing,
you have received payment, or you have completed all of your responsibilities
with respect to the settlement, including filing documents on the
public record, whichever is later; or
(vii) In cases where there is no definitive
time at which the customer relationship has terminated, you have not
communicated with the customer about the relationship for a period
of 12 consecutive months, other than to provide annual privacy notices
or promotional material.
(4) Examples in the case of a credit union. An individual becomes a former customer of a credit union when:
(i) The individual
is no longer the credit union’s member as defined in the credit union’s
bylaws;
(ii) In the case of a
nonmember’s share or share draft account, the account is inactive
under the credit union’s policies;
(iii) In the case of a nonmember’s closed-end loan, the loan is paid
in full, the credit union charges off the loan, or the credit union
sells the loan without retaining servicing rights;
(iv) In the case of a credit card relationship
or other open-end credit relationship with a nonmember, the credit
union no longer provides any statements or notices to the nonmember
concerning that relationship, or the credit union sells the credit
card receivables without retaining servicing rights; or
(v) The credit union has not communicated
with the nonmember about the relationship for a period of 12 consecutive months,
other than to provide annual privacy notices or promotional material.
(1) When
exception available. You are not required to deliver an annual
privacy notice if you:
(i) Provide nonpublic personal information to nonaffiliated third
parties only in accordance with the provisions of section 1016.13,
section 1016.14, or section 1016.15; and
(ii) Have not changed your policies
and practices with regard to disclosing nonpublic personal information
from the policies and practices that were disclosed to the customer
under section 1016.6(a)(2) through (5) and (9) in the most recent
privacy notice provided pursuant to this part.
(2) Delivery
of annual privacy notice after financial institution no longer meets
requirements for exception. If you have been excepted from delivering
an annual privacy notice pursuant to paragraph (e)(1) of this section
and change your policies or practices in such a way that you no longer
meet the requirements for that exception, you must comply with paragraph
(e)(2)(i) or (e)(2)(ii) of this section, as applicable.
(i) Changes
preceded by a revised privacy notice. If you no longer meet the
requirements of paragraph (e)(1) of this section because you change
your policies or practices in such a way that section 1016.8 requires
you to provide a revised privacy notice, you must provide an annual
privacy notice in accordance with the timing requirements in paragraph
(a) of this section, treating the revised privacy notice as an initial
privacy notice.
(ii) Changes not preceded by a revised privacy notice. If you no longer meet the requirements of paragraph (e)(1) of this
section because you change your policies or practices in such a way
that section 1016.8 does not require you to provide a revised privacy
notice, you must provide an annual privacy notice within 100 days
of the change in your policies or practices that causes you to no
longer meet the requirements of paragraph (e)(1) of this section.
(iii) Examples.
(A)
You change your policies and practices in such a way that you no longer
meet the requirements of paragraph (e)(1) of this section effective
April 1 of year 1. Assuming you define the 12-consecutive-month period
pursuant to paragraph (a) of this section as a calendar year, if you
were required to provide a revised privacy notice under section 1016.8
and you provided that notice on March 1 of year 1, you must provide
an annual privacy notice by December 31 of year 2. If you were not
required to provide a revised privacy notice under section 1016.8,
you must provide an annual privacy notice by July 9 of year 1.
(B) You change your policies and practices
in such a way that you no longer meet the requirements of paragraph
(e)(1) of this section, and so provide an annual notice to your customers.
After providing the annual notice to your customers, you once again
meet the requirements of paragraph (e)(1) of this section for an exception
to the annual notice requirement. You do not need to provide additional
annual notices to your customers until such time as you no longer
meet the requirements of paragraph (e)(1) of this section.
