Securities Lawyer's Deskbook                          published by The University of Cincinnati College of Law

Rule 6 -- Information to Be Included in Privacy Notices

---

1. General rule. The initial, annual, and revised privacy notices that you provide under Rule 4, Rule 5, and Rule 8 must include each of the following items of information that applies to you or to the consumers to whom you send your privacy notice, in addition to any other information you wish to provide:
   
   
   1. The categories of nonpublic personal information that you collect;
      
      
   2. The categories of nonpublic personal information that you disclose;
      
      
   3. The categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information, other than those parties to whom you disclose information under Rule 14 and Rule 15;
      
      
   4. The categories of nonpublic personal information about your former customers that you disclose and the categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information about your former customers, other than those parties to whom you disclose information under Rule 14 and Rule 15;
      
      
   5. If you disclose nonpublic personal information to a nonaffiliated third party under Rule 13 (and no other exception applies to that disclosure), a separate statement of the categories of information you disclose and the categories of third parties with whom you have contracted;
      
      
   6. An explanation of the consumer's right under Rule 10(a) to opt out of the disclosure of nonpublic personal information to nonaffiliated third parties, including the method(s) by which the consumer may exercise that right at that time;
      
      
   7. Any disclosures that you make under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)) (that is, notices regarding the ability to opt out of disclosures of information among affiliates);
      
      
   8. Your policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; and
      
      
   9. Any disclosure that you make under paragraph (b) of this section.
      
      
2. Description of nonaffiliated third parties subject to exceptions. If you disclose nonpublic personal information to third parties as authorized under Rule 14 and Rule 15, you are not required to list those exceptions in the initial or annual privacy notices required by Rule 4 and Rule 5. When describing the categories with respect to those parties, you are required to state only that you make disclosures to other nonaffiliated third parties as permitted by law.
   
   
3. Examples.
   
   
   1. Categories of nonpublic personal information that you collect. You satisfy the requirement to categorize the nonpublic personal information that you collect if you list the following categories, as applicable:
      
      
      1. Information from the consumer;
         
         
      2. Information about the consumer's transactions with you or your affiliates;
         
         
      3. Information about the consumer's transactions with nonaffiliated third parties; and
         
         
      4. Information from a consumer-reporting agency.
         
         
   2. Categories of nonpublic personal information you disclose.
      
      
      1. You satisfy the requirement to categorize the nonpublic personal information that you disclose if you list the categories described in paragraph (e)(1) of this section, as applicable, and a few examples to illustrate the types of information in each category.
         
         
      2. If you reserve the right to disclose all of the nonpublic personal information about consumers that you collect, you may simply state that fact without describing the categories or examples of the nonpublic personal information you disclose.
         
         
   3. Categories of affiliates and nonaffiliated third parties to whom you disclose. You satisfy the requirement to categorize the affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information if you list the following categories, as applicable, and a few examples to illustrate the types of third parties in each category:
      
      
      1. Financial service providers;
         
         
      2. Non-financial companies; and
         
         
      3. Others.
         
         
   4. Disclosures under exception for service providers and joint marketers. If you disclose nonpublic personal information under the exception in Rule 13 to a nonaffiliated third party to market products or services that you offer alone or jointly with another financial institution, you satisfy the disclosure requirement of paragraph (a)(5) of this section if you:
      
      
      1. List the categories of nonpublic personal information you disclose, using the same categories and examples you used to meet the requirements of paragraph (a)(2) of this section, as applicable; and
         
         
      2. State whether the third party is:
         
         
         1. A service provider that performs marketing services on your behalf or on behalf of you and another financial institution; or
            
            
         2. A financial institution with which you have a joint marketing agreement.
            
            
   5. Simplified notices. If you do not disclose, and do not wish to reserve the right to disclose, nonpublic personal information to affiliates or nonaffiliated third parties except as authorized under Rule 14 and Rule 15, you may simply state that fact, in addition to the information you must provide under paragraphs (a)(1), (a)(8), (a)(9), and (b) of this section.
      
      
   6. Confidentiality and security. You describe your policies and practices with respect to protecting the confidentiality and security of nonpublic personal information if you do both of the following:
      
      
      1. Describe in general terms who is authorized to have access to the information; and
         
         
      2. State whether you have security practices and procedures in place to ensure the confidentiality of the information in accordance with your policy. You are not required to describe technical information about the safeguards you use.
         
         
4. Short-form initial notice with opt out notice for non-customers.
   
   
   1. You may satisfy the initial notice requirements in Rule 4(a)(2), Rule 7(b), and Rule 7(c) for a consumer who is not a customer by providing a short-form initial notice at the same time as you deliver an opt out notice as required in Rule 7.
      
      
   2. A short-form initial notice must:
      
      
      1. Be clear and conspicuous;
         
         
      2. State that your privacy notice is available upon request; and
         
         
      3. Explain a reasonable means by which the consumer may obtain the privacy notice.
         
         
   3. You must deliver your short-form initial notice according to Rule 9. You are not required to deliver your privacy notice with your short-form initial notice. You instead may simply provide the consumer a reasonable means to obtain your privacy notice. If a consumer who receives your short-form notice requests your privacy notice, you must deliver your privacy notice according to Rule 9.
      
      
   4. Examples of obtaining privacy notice. You provide a reasonable means by which a consumer may obtain a copy of your privacy notice if you:
      
      
      1. Provide a toll-free telephone number that the consumer may call to request the notice; or
         
         
      2. For a consumer who conducts business in person at your office, maintain copies of the notice on hand that you provide to the consumer immediately upon request.
         
         
5. Future disclosures. Your notice may include:
   
   
   1. Categories of nonpublic personal information that you reserve the right to disclose in the future, but do not currently disclose; and
      
      
   2. Categories of affiliates or nonaffiliated third parties to whom you reserve the right in the future to disclose, but to whom you do not currently disclose, nonpublic personal information.
      
      
6. Sample clauses. Sample clauses illustrating some of the notice content required by this section are included in Appendix A of this part.
   
   

	Notice to Users: The Deskbook is made available with the understanding that the University of Cincinnati College of Law is not engaged in rendering legal, accounting or other professional services. If legal advice or other expert assistance is required, the services of a competent professional person should be sought. See Terms and Conditions of Use.   © Copyright 1998-2008, University of Cincinnati, All Rights Reserved  Contact: ronald.jones@uc.edu