15 U.S.C. § 6802 : US Code - Section 6802: Obligations with respect to disclosures of personal information

Search 15 U.S.C. § 6802 : US Code - Section 6802: Obligations with respect to disclosures of personal information

(a) Notice requirements
Except as otherwise provided in this subchapter, a financial
institution may not, directly or through any affiliate, disclose to
a nonaffiliated third party any nonpublic personal information,
unless such financial institution provides or has provided to the
consumer a notice that complies with section 6803 of this title.
(b) Opt out
(1) In general
A financial institution may not disclose nonpublic personal
information to a nonaffiliated third party unless -
(A) such financial institution clearly and conspicuously
discloses to the consumer, in writing or in electronic form or
other form permitted by the regulations prescribed under
section 6804 of this title, that such information may be
disclosed to such third party;
(B) the consumer is given the opportunity, before the time
that such information is initially disclosed, to direct that
such information not be disclosed to such third party; and
(C) the consumer is given an explanation of how the consumer
can exercise that nondisclosure option.
(2) Exception
This subsection shall not prevent a financial institution from
providing nonpublic personal information to a nonaffiliated third
party to perform services for or functions on behalf of the
financial institution, including marketing of the financial
institution's own products or services, or financial products or
services offered pursuant to joint agreements between two or more
financial institutions that comply with the requirements imposed
by the regulations prescribed under section 6804 of this title,
if the financial institution fully discloses the providing of
such information and enters into a contractual agreement with the
third party that requires the third party to maintain the
confidentiality of such information.
(c) Limits on reuse of information
Except as otherwise provided in this subchapter, a nonaffiliated
third party that receives from a financial institution nonpublic
personal information under this section shall not, directly or
through an affiliate of such receiving third party, disclose such
information to any other person that is a nonaffiliated third party
of both the financial institution and such receiving third party,
unless such disclosure would be lawful if made directly to such
other person by the financial institution.
(d) Limitations on the sharing of account number information for
marketing purposes
A financial institution shall not disclose, other than to a
consumer reporting agency, an account number or similar form of
access number or access code for a credit card account, deposit
account, or transaction account of a consumer to any nonaffiliated
third party for use in telemarketing, direct mail marketing, or
other marketing through electronic mail to the consumer.
(e) General exceptions
Subsections (a) and (b) of this section shall not prohibit the
disclosure of nonpublic personal information -
(1) as necessary to effect, administer, or enforce a
transaction requested or authorized by the consumer, or in
connection with -
(A) servicing or processing a financial product or service
requested or authorized by the consumer;
(B) maintaining or servicing the consumer's account with the
financial institution, or with another entity as part of a
private label credit card program or other extension of credit
on behalf of such entity; or
(C) a proposed or actual securitization, secondary market
sale (including sales of servicing rights), or similar
transaction related to a transaction of the consumer;
(2) with the consent or at the direction of the consumer;
(3)(A) to protect the confidentiality or security of the
financial institution's records pertaining to the consumer, the
service or product, or the transaction therein; (B) to protect
against or prevent actual or potential fraud, unauthorized
transactions, claims, or other liability; (C) for required
institutional risk control, or for resolving customer disputes or
inquiries; (D) to persons holding a legal or beneficial interest
relating to the consumer; or (E) to persons acting in a fiduciary
or representative capacity on behalf of the consumer;
(4) to provide information to insurance rate advisory
organizations, guaranty funds or agencies, applicable rating
agencies of the financial institution, persons assessing the
institution's compliance with industry standards, and the
institution's attorneys, accountants, and auditors;
(5) to the extent specifically permitted or required under
other provisions of law and in accordance with the Right to
Financial Privacy Act of 1978 [12 U.S.C. 3401 et seq.], to law
enforcement agencies (including a Federal functional regulator,
the Secretary of the Treasury with respect to subchapter II of
chapter 53 of title 31, and chapter 2 of title I of Public Law 91-
508 (12 U.S.C. 1951-1959), a State insurance authority, or the
Federal Trade Commission), self-regulatory organizations, or for
an investigation on a matter related to public safety;
(6)(A) to a consumer reporting agency in accordance with the
Fair Credit Reporting Act [15 U.S.C. 1681 et seq.], or (B) from a
consumer report reported by a consumer reporting agency;
(7) in connection with a proposed or actual sale, merger,
transfer, or exchange of all or a portion of a business or
operating unit if the disclosure of nonpublic personal
information concerns solely consumers of such business or unit;
or
(8) to comply with Federal, State, or local laws, rules, and
other applicable legal requirements; to comply with a properly
authorized civil, criminal, or regulatory investigation or
subpoena or summons by Federal, State, or local authorities; or
to respond to judicial process or government regulatory
authorities having jurisdiction over the financial institution
for examination, compliance, or other purposes as authorized by
law.