The Notice Requirements

Again, a “notice” is information you provide to the consumer. A “disclosure” is information about the consumer that you provide to a third party.

The phrase “clear and conspicuous” appears at various points in the following text.

Clear and conspicuous means that a notice is reasonably understandable and designed to call attention to the nature and significance of the information in the notice. [Section 1016.3(b)(1)] Examples of what is reasonably understandable include: presenting information in clear and concise sentences, paragraphs, and sections; using short explanatory sentences or bullet lists whenever possible; using definite, concrete, everyday words and active voice whenever possible; avoiding multiple negatives, avoiding legal and highly technical business terminology whenever possible; and avoiding explanations that are imprecise and readily subject to different interpretations. [Section 1016.3(b)(2)(i)] Examples of designed to call attention to the nature and significance of information include: using plain-language headings to call attention to the notice; using typeface and type size that are easy to read; providing wide margins and ample line spacing; using boldface or italics for key words; and if in a form that combines your notice with other information, using distinctive type size, style, and graphic devices, such as shading or sidebars, when you combine your notice with other information. [Section 1016.3(b)(2)(ii)]

For notices on websites, you design your notice to call attention to the nature and significance of the information in it if you use text or visual cues to encourage scrolling down the page, if necessary, to view the entire notice and ensure that other elements on the website do not distract attention from the notice, and you either: place the notice on a screen that consumers frequently access, such as a page on which transactions are conducted; or place a link on a screen that consumers frequently access, such as a page on which transactions are conducted that connects directly to the notice and is labeled appropriately to convey the importance, nature, and relevance of the notice. [Section 1016.3(b)(2)(iii)] Similar to the recommendations of other agency consumer regulations, if your web pages provide links to notices, you should position those links at the top of those web pages. [Small Bank Compliance Guide, OCC Bulletin 2001-51]

The initial notice

You must give an initial clear and conspicuous notice that describes your privacy policies and practices to “consumers” and to “customers.” [Section 1016.4(a)] When you must give this initial notice depends on whether you are giving it to a consumer or to a customer.

A consumer is an individual who obtains or has obtained a financial product or service from you that is to be used primarily for personal, family, or household purposes. [Section 1016.3(e)(1)] The term “financial product or service” includes, among many other things, opening and maintaining a deposit account. [Section 1016.3(m)(1) and 12 USC 1843(k)]

A customer is a consumer who has a “customer relationship” with you. [Section 1016.3(i)] A customer relationship is a continuing relationship between a consumer and you under which you provide one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes. [Section 1016.3(j)(1)] A consumer has a continuing relationship with you if the consumer has a deposit or investment account with you. [Section 1016.3(j)(2)(i)(A)] In the case of credit unions, a customer relationship can exist between the credit union and certain consumers that are not the credit union's members. [Section 1016.3(j)(1) and see Section 1016.3(j)(4)] The consumer does not, however, have a continuing relationship with you by virtue of making an isolated transaction with you, such as using your automated teller machine (ATM) to withdraw cash from an account at another financial institution, or purchasing a cashier's check or money order. [Section 1016.3(j)(2)(ii)(A)]

[Since this is a deposit account manual, the circumstances we list in the previous paragraph are limited to those related to deposit accounts. The regulations list other, nonloan related, examples of a “continuing relationship.” See Section 1016.3(j)(2)(i) and (ii).]

Notice that “customer” is defined as a “consumer” who has a customer relationship with you. That means that customer is a subset of consumer—that is, if a person is not a consumer, that person is not a customer for purposes of the privacy regulations.

Earlier we said that the timing of your initial privacy notice depends on whether the person you are giving it to is a consumer or a customer. If the person is a customer, you must give the initial notice not later than when you establish a customer relationship (with a few exceptions listed in the next paragraph). [Section 1016.4(a)(1)] If the person is a consumer, but not a customer, you must give the initial notice before you disclose any “nonpublic personal information” about the consumer to any “nonaffiliated third party.” [Section 1016.4(a)(2)] We’ll look at the exceptions to the “customer” requirement first, then take a closer look at the “consumer” requirement.

Normally, as we said, you must provide the initial notice to a customer no later than when you establish a customer relationship. [Section 1016.4(a)(1)] The regulations allow you to deliver the notice later than that under two circumstances. The first is when establishing the customer relationship is not at the customer’s election. [Section 1016.4(e)(1)(i)] This would happen, for example, if you acquire the servicing rights to a customer’s loan from another financial institution, and the customer does not have a choice about the acquisition. [Section 1016.4(e)(2)(i)(A)] Second, you are permitted to provide the notice later, if providing it at the beginning of the customer relationship would substantially delay the customer’s transaction and the customer agrees to receive the notice later. [Section 1016.4(e)(1)(ii)] This would happen, for example, if you and the customer entered into a transaction over the telephone, and the agreement included prompt delivery of the financial service or product. [Section 1016.4(e)(2)(ii)(A)] In both of these cases, you are still required to supply the initial notice within a “reasonable time” following the time you establish the customer relationship. [Section 1016.4(e)(1)]

Now for a closer look at the consumer requirement. Remember that if the consumer is not a customer, you are required to provide the initial notice before you disclose any nonpublic personal information about the consumer to any nonaffiliated third party. It follows, then, that if your policy is to not disclose nonpublic personal information about such a consumer (one who is not a customer) to any nonaffiliated third party, you need not provide the initial notice. [Section 1016.4(b)(1)] This is true even if you disclose some nonpublic personal information to nonaffiliated third parties, but the disclosures are authorized under the exceptions in Section 1016.14 or Section 1016.15, described later in this chapter. [Section 1016.4(b)(1)]

A special rule applies to existing customers, which is the term the regulations use to refer to customers who, at any given point in time, have a customer relationship with you. The special rule deals with whether the initial notice must be given when an existing customer obtains a new financial product or service from you for consumer purposes. The special rule says that if the initial notice, a revised notice (described later), or an annual notice (also described later) that you most recently provided to the customer is accurate with respect to the new product or service, you need not supply a new notice at all. If the most recent notice is not accurate with respect to the new product or service, you will need to provide a “revised” notice that covers the new financial product or service. [Section 1016.4(d)(1) and (2)]

Later in this chapter is more information about the initial notice, including a description of the content of these notices, delivery methods, and exceptions to providing the initial notice.

The annual notice

You must also provide an annual clear and conspicuous privacy notice to customers. Specifically, you must provide the annual notice at least once in any period of 12 consecutive months during which your customer relationship exists. You are allowed to identify the 12-month period as you wish, but you must apply it consistently. [Section 1016.5(a)(1)] So, for example, you could select the calendar year as your 12-month period. You would then have to provide an annual notice to a customer in each calendar year following the calendar year in which you provided the initial notice. [Section 1016.5(a)(2)]

Your obligation to send an annual notice ends when the customer becomes a “former customer.” [Section 1016.5(b)(1)] This happens: in the case of a closed-end loan, when the customer pays the loan in full, you charge off the loan, or you sell the loan without retaining servicing rights [Section 1016.5(b)(2)(ii)]; in the case of an open-end loan, when you no longer provide any statements or notices to the customer concerning that relationship, or you sell the receivables without retaining servicing rights [Section 1016.5(b)(2)(iii)]; and when you have not communicated with the customer about the relationship for a period of 12 consecutive months, other than to provide annual privacy notices or promotional material. [Section 1016.5(b)(2)(iv)]

We deal with the form and content of the annual notice in a later section.

Exception to annual privacy notice requirement.

You are not required to deliver an annual privacy notice if you:

• Provide nonpublic personal information to nonaffiliated third parties only in accordance with the exceptions in Sections 1016.13, 1016.14 or 1016.15 (described later in this chapter); and

• Have not changed your policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed to the customer under Section 1016.6(a)(2) through (5) and (9) (the categories of nonpublic personal information that you collect and disclose, the categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information, categories of information and third parties relating to former customers, Section 1016.13 exceptions, and description of nonaffiliated third parties subject to exceptions) in the most recent annual privacy notice provided.

Delivery of annual privacy notice after you no longer meet the requirements for this annual privacy notice requirement exception. If you have been excepted from delivering an annual privacy notice and you change your policies or practices in a way that you no longer meet the requirements for that exception, you must comply as follows, as applicable:
  • Provide nonpublic personal information to nonaffiliated third parties only in accordance with the exceptions in Sections 1016.13, 1016.14 or 1016.15 (described later in this chapter); and
  • Have not changed your policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed to the customer under Section 1016.6(a)(2) through (5) and (9) (the categories of nonpublic personal information that you collect and disclose, the categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information, categories of information and third parties relating to former customers, Section 1016.13 exceptions, and description of nonaffiliated third parties subject to exceptions) in the most recent annual privacy notice provided.
Delivery of annual privacy notice after you no longer meet the requirements for this annual privacy notice requirement exception. If you have been excepted from delivering an annual privacy notice and you change your policies or practices in a way that you no longer meet the requirements for that exception, you must comply as follows, as applicable:
  • If you no longer meet the requirements for this exception because you changed your policies or practices in such a way that you were required to provide a revised privacy notice (see the following section for more information about revised policy notices), you must provide a clear and conspicuous annual privacy notice to your customers that accurately reflects your privacy policies and practices not less than annually (at least once in any period of 12 consecutive months and on a consistent basis) during the continuation of the customer relationship, treating the revised privacy notice as an initial privacy notice.
  • If you no longer meet the requirements for this exception because you changed your policies or practices but in such a way that you were not required to provide a revised privacy notice, you must provide an annual privacy notice within 100 days of the change in your policies or practices that cause you to no longer meet the annual privacy notice requirement exception.

    For example, assuming your 12-consecutive-month period is defined as a calendar year and you changed your policies or practices so that you no longer meet the requirements for the annual privacy notice exception on April 1 of year 1: if you were required to provide a revised privacy notice and had provided that notice on March 1 of year 1, then you must provide an annual privacy notice by December 31 of year 2; if you were not required to provide a revised privacy notice, then you must provide an annual privacy notice by July 9 of year 1.

    Also, if you change your policies and practices in such a way that you no longer meet the requirements for the annual privacy notice exception and so provide an annual notice to your customers, after providing the annual notice to your customers you once again meet the requirements for an exception to the annual notice requirement. You do not need to provide additional annual notices to your customers until such time as you no longer meet the exception requirements.

[Section 1016.5(e)]

Revised policy notices when your policy changes

If your privacy policy changes, you must supply consumers with a clear and conspicuous revised policy notice that accurately describes your new policy. You must supply this notice prior to making any disclosure of nonpublic personal information to a nonaffiliated third party other than what your latest initial notice described (unless your disclosure fits one of the exceptions described later). [Section 1016.8(a)(1)] Furthermore, you cannot make such a disclosure until: (1) you have provided to the consumer a new “opt-out” notice; (2) you have given the consumer a reasonable opportunity, before you disclose the information to the nonaffiliated third party, to opt out of the disclosure; and (3) the consumer does not opt out. [Section 1016.8(a)(1) - (4)]

Policy changes that would trigger this requirement include:
  • Disclosing a new category of nonpublic personal information to any nonaffiliated third party.
  • Disclosing nonpublic personal information to a new category of nonaffiliated third party.
  • Disclosing nonpublic personal information about a former customer to a nonaffiliated third party, if that former customer has not had the opportunity to exercise an opt-out right regarding that disclosure.

[Section 1016.8(b)(1)(i) – (iii)]

One circumstance that does not trigger the revised notice requirement is when you disclose nonpublic personal information to a new nonaffiliated third party that you adequately described in your prior notice. [Section 1016.8(b)(2)] In other words, making a disclosure to a nonaffiliated third party to whom you have not previously made disclosures does not require a revised notice if your prior notice adequately described a category of nonaffiliated third parties into which the new nonaffiliated third party fits.

Contents of privacy notices (initial, annual, and revised)

The regulations require the following information in the initial, annual, and revised privacy notices. You may, however, add more information if you like. Also see the end of this section for details on a simplified notice.

Your notice must contain:
  • The categories of nonpublic personal information that you collect.
  • The categories of nonpublic personal information that you disclose.
  • The categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information, other than those to whom you disclose information under the exceptions for third parties who provide processing and servicing of transactions—Section 1016.14—and the exceptions under Section 1016.15. (We review these exceptions in a later section of this chapter.)
  • The categories of nonpublic personal information about your former customers that you disclose, and the categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information about your former customers, other than those to whom you disclose information under the exceptions for third parties who provide processing and servicing of transactions—Section 1016.14—and certain other exceptions under Section 1016.15. (Again, we review these exceptions in a later section of this chapter.)
  • If you disclose nonpublic personal information to a nonaffiliated third party under the exception to opt out requirements for service providers and joint marketing - Section 1016.13 (and no other exceptions in Sections 1016.14 or 1016.15 apply to that disclosure), a separate statement of the categories of information you disclose and the categories of third parties with whom you have contracted. (Again, we review these exceptions in a later section of this chapter.)
  • An explanation of the consumer’s right under Section 1016.10(a) to opt out of the disclosure of nonpublic personal information to nonaffiliated third parties, including the method(s) by which the consumer may exercise that right at that time.
  • Any disclosures that you make under a section of the Fair Credit Reporting Act having to do with the ability to opt out of disclosures of information among affiliates.
  • Your policies and practices with respect to protecting the confidentiality and security of nonpublic personal information.
  • A statement, if true, that you make disclosures to other nonaffiliated third parties as permitted by law.

[Section 1016.6(a)(1) – (9) and Section 1016.6(b)]

Let’s look at each of these more closely.

The categories of nonpublic personal information that you collect. The regulations allow you to use rather general descriptions here. You can use whatever of the following is an accurate description of the information you collect: (1) information from the consumer; (2) information about the consumer’s transactions with you or your affiliates; (3) information about the consumer’s transactions with nonaffiliated third parties; and (4) information from a consumer reporting agency. [Section 1016.6(c)(1)(i) – (iv)]

The categories of nonpublic personal information that you disclose. Again, you can use general descriptions here. You satisfy the rule if you use the applicable categories from the previous paragraph, and include a few examples to illustrate the types of information in each category. [Section 1016.6(c)(2)(i)] You could also state simply that you disclose all of the nonpublic personal information about consumers that you collect, if that is the case. [Section 1016.6(c)(2)(ii)] You can also include categories of nonpublic personal information that you reserve the right to disclose in the future, but do not currently disclose. [Section 1016.6(e)(1)]

The categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information. You satisfy the requirement here if you list the following categories, as applicable, and a few examples to illustrate the types of third parties in each category: (1) financial service providers, (2) nonfinancial companies, and (3) others. [Section 1016.6(c)(3)(i) – (iii)] Remember also that you need not include any reference to third parties to whom you disclose information and who provide processing and servicing of transactions under Section 1016.14, and certain other exceptions under Section 1016.15. You can also include categories of affiliates or nonaffiliated third parties to whom you reserve the right in the future to disclose, but to whom you do not currently disclose, nonpublic personal information. [Section 1016.6(e)(2)]

Categories of information and third parties relating to former customers. Recall that a customer becomes a former customer when, in the case of a closed-end loan, the customer pays the loan in full, you charge off the loan, or you sell the loan without retaining servicing rights. [Section 1016.5(b)(2)(ii)] In the case of an open-end loan, the customer is a former customer when you no longer provide any statements or notices to the customer concerning that relationship, or you sell the receivables without retaining servicing rights. [Section 1016.5(b)(2)(iii)] A customer also becomes a former customer when you have not communicated with the customer about the relationship for a period of 12 consecutive months, other than to provide annual privacy notices or promotional material. [Section 1016.5(b)(2)(iv)] If the relationship is a deposit account, the customer is a former customer when the account is inactive under your policies. [Section 1016.5(b)(2)(i)]

Disclosures under the exception for service providers and joint marketing - Section 1016.13 exceptions. Again, we will review the Section 1016.13 exceptions later. On your notice form, you need to describe the categories of information you disclose and state whether the third party is: (1) a service provider that performs marketing services on your behalf or on behalf of you and another financial institution, or (2) a financial institution with whom you have a joint-marketing agreement. [Section 1016.6(c)(4)]

Explanation of opt-out rights. As we will see later, consumers sometimes have the right to “opt out of” (i.e., prevent) your disclosure of nonpublic personal information. Your notice must explain those rights and the method(s) by which the consumer may exercise that right. [Section 1016.6(a)(6)]

Reference to Fair Credit Reporting Act (FCRA) notice. Briefly, the FCRA requires that you provide a notice and opportunity to opt out to a consumer before providing information about the consumer (other than information about your own transactions and experiences with the consumer) to an affiliate. Failing to give this notice could mean the disclosure of information is a “consumer report,” which, in turn, could mean that you would become a “consumer reporting agency,” subject to all sorts of requirements and restrictions. See 15 USC § 1681a(d)(2)(A)(3). You need to refer in your privacy notices to any such FCRA notices you provide.

Confidentiality and security policies and practices. To satisfy this requirement, you must both: (1) describe in general terms who is authorized to have access to the nonpublic personal information; and (2) state whether you have security practices and procedures in place to ensure the confidentiality of the information in accordance with your policy. You are not required to describe technical information about the safeguards that you use. [Section 1016.6(c)(6)]

Statement about disclosures to other nonaffiliated third parties as permitted by law. This is a reference to your right under Sections 1016.14 and 1016.15 to make disclosures of nonpublic personal information to certain nonaffiliated third parties, without having to provide the consumer with an opportunity to opt out. [Section 1016.6(b)] See later sections in this chapter describing the Section 1016.14 and Section 1016.15 exceptions.

The regulations provide sample clauses for all the notice forms. You can find the model forms and instructions for these forms in Appendix A to the regulations.

Simplified notice

If you do not disclose, and do not wish to reserve the right to disclose, nonpublic personal information about customers or former customers to affiliates or nonaffiliated third parties except as provided under the exceptions in Section 1016.14 and Section 1016.15, your notice can be simplified. See the discussion later in this chapter about the Section 1016.14 and Section 1016.15 exceptions for more details.

See the discussion later in this chapter about the Section 1016.14 and Section 1016.15 exceptions for more details.

In such a case, the notice only needs to state that you do not disclose nonpublic personal information about customers or former customers to affiliates or nonaffiliated third parties, except as provided under the exceptions in Section 1016.14 and Section 1016.15, plus the information required by the first, eighth, and ninth requirements above (i.e., the categories of nonpublic personal information that you collect, your policies and practices with respect to protecting the confidentiality and security of nonpublic personal information, and the statement about disclosures to other nonaffiliated third parties as permitted by law). [Section 1016.6(c)(5)]

Short-form initial notice with opt-out notice

For consumers who are not customers, you can meet the initial notice requirement by providing a short-form notice along with an opt-out notice. [Section 1016.6(d)(1)] A short‑form notice only needs to: (1) be clear and conspicuous, (2) state that your privacy notice is available on request, and (3) explain a reasonable means by which the consumer may obtain that notice. [Section 1016.6(d)(2)] “Reasonable means” includes a toll-free telephone number for requesting the notice or having copies of the notice on hand for in-person transactions. [Section 6(d)(4)] Of course, if a consumer requests your privacy notice, you must provide it. [Section 1016.6(d)(3)]

Opt-out notice

As we point out later in this chapter, there are conditions on your being able to disclose a consumer’s nonpublic personal information to a nonaffiliated third party. One of those conditions is that you provide an “opt-out notice” to the consumer prior to disclosing the information. [Section 1016.10(a)(1)(ii)]

An opt-out notice must be a clear and conspicuous notice that accurately explains the right to opt out. [Section 1016.7(a)(1)] The notice must include three things:
  • •A statement that you disclose, or reserve the right to disclose, nonpublic personal information about your consumer to a nonaffiliated third party,
  • A statement that the consumer has the right to opt out of that disclosure, and
  • A description of a reasonable means by which the consumer may exercise the opt‑out right.

[Section 1016.7(a)(1)(i) – (iii)]

In order to disclose adequately the right to opt out, the notice should identify all of the categories of nonpublic personal information that you disclose or reserve the right to disclose, and all the categories of nonaffiliated third parties to which you disclose information, as described in your initial notice. The notice should also state that the consumer is allowed to opt out of the disclosures. You should also identify the financial products or services that the consumer obtains from you, either singly or jointly, to which the opt-out directions would apply. [Section 1016.7(a)(2)(i)] See Appendix A to the regulation for model forms that include disclosing the opt-out right.

In order to provide a “reasonable means” by which the consumer may exercise the opt-out right, you can:
  • Use check-off boxes in a prominent position on the opt-out notice;
  • Include a reply form and the address to which the form should be mailed along with the opt-out notice;
  • Provide an electronic means to opt out, if the consumer agrees to electronic delivery of information; or
  • Provide a toll-free telephone number the consumer may use to opt out.

[Section 1016.7(a)(2)(ii)]

You may not require your customers to write their own letter as their only way to opt out. And it is not reasonable if the only means of opting out as described in any notice subsequent to the initial notice is to use a check-off box that you provided with the initial notice but did not include with the subsequent notice. [Section 1016.7(a)(2)(iii)]

However, you are allowed to provide the opt-out notice on the same written or electronic form as your initial privacy notice. [Section 1016.7(b)]

The regulations provide a number of opt-out rules for situations involving two or more consumers jointly obtaining a financial product or service from you.

[Sections 1016.7(d)(5) and 1016.7(e)(5)]

Of course, if the consumer opts out, you must comply with that direction as soon as reasonably practicable after you receive it. [Section 1016.7(g)] The consumer has a continuing right to opt out at any time. [Section 1016.7(h)] A consumer’s opt-out direction is effective until the consumer revokes it in writing or, if the consumer agrees, electronically. [Section 1016.7(i)(1)] This is true even if the consumer is a former customer, but if the consumer becomes a customer again, the opt-out instruction does not apply to the new relationship. [Section 1016.7(i)(2)]

How to deliver privacy and opt-out notices

The standard set by the regulations is that you must provide privacy and opt-out notices in such a way that you reasonably expect the consumer to receive actual notice in writing or, if the consumer agrees, electronically. [Section 1016.9(a)] You have this reasonable expectation if you hand-deliver a printed copy of the notice to the consumer, or mail a printed copy of the notice to the last known address of the consumer. [Section 1016.9(b)(1)(i) and (ii)] For a consumer who conducts transactions electronically, you have this reasonable expectation if you post the notice on the electronic site and require the consumer to acknowledge receipt of the notice as a necessary step to obtaining a particular financial product or service. [Section 1016.9(b)(1)(iii)] Finally, with respect to an isolated transaction with the consumer, such as an ATM transaction, you have this reasonable expectation if you post the notice on the ATM screen and require the consumer to acknowledge receipt of the notice as a necessary step to obtaining the particular financial product or service. [Section 1016.9(b)(1)(iv)]

Two special rules apply to annual notices only. First, you have this reasonable expectation if the customer uses your web site to access financial products and services electronically and agrees to receive notices at the web site, and you post your current privacy notice continuously in a clear and conspicuous manner on the web site. [Section 1016.9(c)(1)] Second, you have a reasonable expectation if the customer has requested that you refrain from sending any information regarding the customer relationship and your current privacy notice remains available to the customer upon request. [Section 1016.9(c)(2)]

Descriptions of any notice provided solely by orally explaining the notice, in person or over the telephone, are not sufficient to comply with delivery requirements. [Section 1016.9(d)]

For customers (but not consumers who are not customers), you not only must have the privacy notices in writing, but you must also deliver them in a form that allows the customer to retain the notice or obtain it later in writing—or, if the customer agrees, electronically. [Section 1016.9(e)(1)] Hand delivering or mailing a printed copy is sufficient, of course. [Section 1016.9(e)(2)(i) and (ii)] (In the case of credit unions, mailing a printed copy on the member’s request.) But, you may also make your current privacy notice available on a web site or a link to another web site for the customer who obtains a financial product or service electronically, and agrees to receive the notice at the web site.

[Section 1016.9(e)(2)(iii)]

Finally, you are allowed to provide joint notices with another financial institution, as long as the notice is accurate. [Section 1016.9(f), Section 1016.6(e)(7) in the NCUA regulation] And, you need only send the privacy notices (initial, annual, and revised) to one consumer, instead of all when two or more consumers jointly obtain a financial product or service. [Section 1016.9(g)and Section 1016.9(i)]