17 CFR §160.8

1. (a)General rule. Except as otherwise authorized in this part, you must not, directly or through any affiliate, disclose any nonpublic personal information about a consumer to a nonaffiliated third party other than as described in the initial notice that you provided to that consumer under § 160.4, unless:
   1. (1)You have provided to the consumer a clear and conspicuous revised notice that accurately describes your policies and practices;
   2. (2)You have provided to the consumer a new opt out notice;
   3. (3)You have given the consumer a reasonable opportunity, before you disclose the information to the nonaffiliated third party, to opt out of the disclosure; and
   4. (4)The consumer does not opt out.
2. (b)Examples.
   1. (1)Except as otherwise permitted by §§ 160.13, 160.14, and 160.15, you must provide a revised notice before you:
      1. (i)Disclose a new category of nonpublic personal information to any nonaffiliated third party;
      2. (ii)Disclose nonpublic personal information to a new category of nonaffiliated third party; or
      3. (iii)Disclose nonpublic personal information about a former customer to a nonaffiliated third party, if that former customer has not had the opportunity to exercise an opt out right regarding that disclosure.
   2. (2)A revised notice is not required if you disclose nonpublic personal information to a new nonaffiliated third party that you adequately described in your prior notice.
3. (c)Delivery. When you are required to deliver a revised privacy notice by this section, you must deliver it according to § 160.9.