28 Tex. Admin. Code § 22.10

Current through Reg. 49, No. 49; December 6, 2024
Section 22.10 - Information to be Included in Privacy Notices
(a) Simplified nondisclosure notice requirements. A covered entity that does not disclose, and does not reserve the right to disclose, nonpublic personal financial information about customers or former customers to nonaffiliated third parties except as authorized under § 22.18 of this title (relating to Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Processing and Servicing Transactions) and § 22.19 of this title (relating to Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information), may comply with this subchapter by providing a simplified notice that expresses:
(1) the nondisclosure policy stated in this subsection, and
(2) the information required by subsections (b)(1), (b)(8), (b)(9), and (c) of this section.
(b) Disclosure notice requirements. The initial, annual, and revised privacy notices a covered entity provides under § 22.8 of this title (relating to Initial Privacy Notice), § 22.9 of this title (relating to Annual Privacy Notice), and § 22.12 of this title (relating to Revised Privacy Notices) must include the following items of information, in addition to any other information the covered entity wishes to provide, that applies to the covered entity and to the consumers to whom the covered entity sends its privacy notice.
(1) The categories of nonpublic personal financial information the covered entity collects. A covered entity satisfies the requirement to categorize the nonpublic personal financial information it collects when the covered entity categorizes it according to the source of the information, as applicable, including:
(A) information from the consumer;
(B) information about the consumer's transactions with the covered entity or its affiliates;
(C) information about the consumer's transactions with nonaffiliated third parties; and
(D) information from a consumer reporting agency.
(2) The categories of nonpublic personal financial information the covered entity discloses.
(A) A covered entity satisfies the requirement to categorize nonpublic personal financial information it discloses when the covered entity categorizes the information according to source, as described in paragraph (1) of this subsection, as applicable, and provides examples to illustrate the types of information in each category, such as:
(i) information from the consumer, including application information (such as assets and income) and identifying information (such as name, address, and social security number);
(ii) transaction information (such as information about balances, payment history, and parties to the transaction); and
(iii) information from consumer reports (such as a consumer's creditworthiness and credit history).
(B) A covered entity does not adequately categorize the information it discloses when the covered entity uses only general terms (such as transaction information about the consumer).
(C) A covered entity that reserves the right to disclose all the nonpublic personal financial information about consumers it collects may state that fact without describing the categories or examples of nonpublic personal financial information the covered entity discloses.
(3) The categories of affiliates and nonaffiliated third parties to whom the covered entity discloses nonpublic personal financial information, other than those parties to whom the covered entity discloses information under § 22.18 and § 22.19 of this title.
(4) The categories of nonpublic personal financial information about the covered entity's former customers that the covered entity discloses and the categories of affiliates and nonaffiliated third parties to whom the covered entity discloses nonpublic personal financial information about the covered entity's former customers, other than those parties to whom the covered entity discloses information under § 22.18 and § 22.19 of this title.
(5) A separate description of the categories of information the covered entity discloses and the categories of third parties with whom the covered entity has contracted, if the covered entity discloses nonpublic personal financial information to a nonaffiliated third party under § 22.17 of this title (relating to Exception to Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Service Providers and Joint Marketing) and no other exception in § 22.18 and § 22.19 of this title applies to that disclosure.
(6) An explanation of the consumer's right under § 22.14(a) of this title (relating to Limits on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties) to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties, including the methods by which the consumer may exercise that right at that time.
(7) Any disclosures the covered entity makes under §603(d)(2)(A)(iii) of the federal FCRA (15 U.S.C. §1681a(d)(2)(A)(iii)) (that is, notices regarding the ability to opt out of disclosures of information among affiliates).
(8) The covered entity's policies and practices with respect to protecting the confidentiality and security of nonpublic personal financial information. A covered entity provides an adequate description of its policies and practices with respect to protecting the confidentiality and security of nonpublic personal financial information if it does both of the following:
(A) describes in general terms who is authorized to have access to the information; and
(B) states whether the covered entity has security practices and procedures in place to ensure the confidentiality of the information under the covered entity's policy. The covered entity is not required to describe technical information about the safeguards it uses.
(9) Any disclosure the covered entity makes under subsection (c) of this section.
(c) Description of nonaffiliated third parties subject to exceptions. A covered entity that discloses nonpublic personal financial information to third parties as authorized under § 22.18 and § 22.19 of this title is not required to list those exceptions in the initial or annual privacy notices required by § 22.8 and § 22.9 of this title. When describing the categories of parties to whom the covered entity makes disclosures, it is sufficient for the covered entity to state that it makes disclosures to other nonaffiliated companies:
(1) for the covered entity's everyday business purposes, such as (include all that apply) to process account transactions, maintain accounts, respond to court orders and legal investigations, or report to credit bureaus; or
(2) as permitted by law.
(d) Appropriate methods of categorizing affiliates and nonaffiliated third parties.
(1) A covered entity satisfies the requirement to categorize the affiliates and nonaffiliated third parties to which the covered entity discloses nonpublic personal financial information about consumers if the covered entity identifies the types of businesses in which they engage.
(2) Types of businesses may be described by general terms only if the covered entity uses illustrative examples of significant lines of business. For example, a covered entity may use the term "financial products or services" if the notice includes appropriate examples of significant lines of businesses or services, such as life insurer, automobile insurer, consumer banking, or securities brokerage.
(3) A covered entity also may categorize the affiliates and nonaffiliated third parties to which it discloses nonpublic personal financial information about consumers using more detailed categories.
(e) Disclosures under exception for service providers and joint marketers. A covered entity that discloses nonpublic personal financial information under the exception in § 22.17 of this title to a nonaffiliated third party to market products or services it offers alone or jointly with another financial institution satisfies the disclosure requirement of subsection (b)(5) of this section if it:
(1) lists the categories of nonpublic personal financial information it discloses, using the same categories and examples the covered entity used to meet the requirements of subsection (a)(2) of this section, as applicable; and
(2) states whether the third party is:
(A) a service provider that performs marketing services on the covered entity's behalf or on behalf of the covered entity and another financial institution; or
(B) a financial institution with whom the covered entity has a joint marketing agreement.
(f) Short-form initial notice with opt out notice for noncustomers.
(1) A covered entity may satisfy the initial notice requirements in § 22.8(a)(2) and § 22.11(c) of this title (relating to Form of Opt Out Notice to Consumers and Opt Out Methods) for a consumer who is not a customer by providing a short-form initial notice at the same time as the covered entity delivers an opt out notice as required in § 22.11 of this title.
(2) A short-form initial notice must:
(A) be clear and conspicuous;
(B) state that the covered entity's privacy notice is available on request; and
(C) explain a reasonable means by which the consumer may obtain that notice.
(3) The covered entity must deliver its short-form initial notice according to § 22.13 of this title (relating to Delivery). The covered entity is not required to deliver its privacy notice with its short-form initial notice. The covered entity may instead provide the consumer with a reasonable means to obtain its privacy notice. If a consumer who receives the covered entity's short-form notice requests the covered entity's privacy notice, the covered entity must deliver its privacy notice according to § 22.13 of this title.
(4) The covered entity provides a reasonable means by which a consumer may obtain a copy of its privacy notice if the covered entity:
(A) provides a toll-free telephone number that the consumer may call to request the notice; or
(B) for a consumer who conducts business in person at the covered entity's office, maintains copies of the notice on hand that the covered entity provides to the consumer immediately on request.
(g) Reservation of right to disclose. The covered entity's notice may include:
(1) categories of nonpublic personal financial information the covered entity reserves the right to disclose in the future, but does not currently disclose; and
(2) categories of affiliates or nonaffiliated third parties to whom the covered entity reserves the right in the future to disclose, but to whom the covered entity does not currently disclose, nonpublic personal financial information.
(h) Model privacy form. A model privacy form that meets the notice content requirements of this section appears in 74 Federal Register 62890 (December 1, 2009). A covered entity may use the applicable model privacy form, consistent with the instructions in § 22.27 of this title (relating to General Instructions).

28 Tex. Admin. Code § 22.10

The provisions of this §22.10 adopted to be effective December 17, 2001, 26 TexReg 10316; amended by Texas Register, Volume 39, Number 49, December 5, 2014, TexReg 9566, eff. 12/7/2014