31 Pa. Code § 146a.22

Current through Register Vol. 54, No. 45, November 9, 2024
Section 146a.22 - Limits on redisclosure and reuse of nonpublic personal financial information
(a)Information the licensee receives under an exception.
(1) If a licensee receives nonpublic personal financial information from a nonaffiliated financial institution under an exception in § 146a.32 or § 146a.33 (relating to exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information for processing and servicing transactions; and other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information), the licensee's disclosure and use of that information is limited as follows:
(i) The licensee may disclose the information to the affiliates of the financial institution from which the licensee received the information.
(ii) The licensee may disclose the information to its affiliates, but the licensee's affiliates may, in turn, disclose and use the information only to the extent that the licensee may disclose and use the information.
(iii) The licensee may disclose and use the information under an exception in § 146a.32 or § 146a.33, in the ordinary course of business to carry out the activity covered by the exception under which the licensee received the information.
(2)Example. If a licensee receives information from a nonaffiliated financial institution for claims settlement purposes, the licensee may disclose the information for fraud prevention, or in response to a properly authorized subpoena. The licensee may not disclose that information to a nonaffiliated third party for marketing purposes or use that information for its own marketing purposes.
(b)Information a licensee receives outside of an exception.
(1) If a licensee receives nonpublic personal financial information from a nonaffiliated financial institution other than under an exception in § 146a.32 or § 146a.33, the licensee may disclose the information only:
(i) To the affiliates of the financial institution from which the licensee received the information.
(ii) To its affiliates, but its affiliates may, in turn, disclose the information only to the extent that the licensee may disclose the information.
(iii) To any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which the licensee received the information.
(2)Example. If a licensee obtains a customer list from a nonaffiliated financial institution outside of the exceptions in § 146a.32 or § 146a.33 the licensee may do the following:
(i) Use that list for its own purposes.
(ii) Disclose that list to another nonaffiliated third party only if the financial institution from which the licensee purchased the list could have lawfully disclosed the list to that nonaffiliated third party. That is, the licensee may disclose the list in accordance with the privacy policy of the financial institution from which the licensee received the list, as limited by the opt out direction of each consumer whose nonpublic personal financial information the licensee intends to disclose, and the licensee may disclose the list in accordance with an exception in § 146a.32 or § 146a.33, such as to the licensee's attorneys or accountants.
(c)Information a licensee discloses under an exception. If a licensee discloses nonpublic personal financial information to a nonaffiliated third party under an exception in § 146a.32 or § 146a.33, the nonaffiliated third party may disclose and use that information only as follows:
(1) The nonaffiliated third party may disclose the information to the licensee's affiliates.
(2) The nonaffiliated third party may disclose the information to its affiliates, but its affiliates may, in turn, disclose and use the information only to the extent that the nonaffiliated third party may disclose and use the information.
(3) The nonaffiliated third party may disclose and use the information under an exception in § 146a.32 or § 146a.33, in the ordinary course of business to carry out the activity covered by the exception under which the licensee received the information.
(d)Information a licensee discloses outside of an exception. If a licensee discloses nonpublic personal financial information to a nonaffiliated third party other than under an exception in § 146a.32 or § 146a.33, the nonaffiliated third party may disclose the information only:
(1) To the licensee's affiliates.
(2) To the nonaffiliated third party's affiliates, but the nonaffiliated third party's affiliates, in turn, may disclose the information only to the extent the nonaffiliated third party can disclose the information.
(3) To any other person, if the disclosure would be lawful if the licensee made it directly to that person.

31 Pa. Code § 146a.22