(a)

(1) Information you receive under an exception. If you receive nonpublic personal information from a nonaffiliated financial institution under an exception in §1016.14 or §1016.15 of this part, your disclosure and use of that information is limited as follows:

(i) You may disclose the information to the affiliates of the financial institution from which you received the information;

(ii) You may disclose the information to your affiliates, but your affiliates may, in turn, disclose and use the information only to the extent that you may disclose and use the information; and

(iii) You may disclose and use the information pursuant to an exception in §1016.14 or §1016.15 in the ordinary course of business to carry out the activity covered by the exception under which you received the information.

(2) Example. If you receive a customer list from a nonaffiliated financial institution in order to provide account processing services under the exception in §1016.14(a), you may disclose that information under any exception in §1016.14 or §1016.15 in the ordinary course of business in order to provide those services. For example, you could disclose the information in response to a properly authorized subpoena or, in the case of financial institutions other than those described in §1016.3(l)(3), to your attorneys, accountants, and auditors. You could not disclose that information to a third party for marketing purposes or use that information for your own marketing purposes.

(b)

(1) Information you receive outside of an exception. If you receive nonpublic personal information from a nonaffiliated financial institution other than under an exception in §1016.14 or §1016.15 of this part, you may disclose the information only:

(i) To the affiliates of the financial institution from which you received the information;

(ii) To your affiliates, but your affiliates may, in turn, disclose the information only to the extent that you can disclose the information; and

(iii) To any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which you received the information.

(2) Example. If you obtain a customer list from a nonaffiliated financial institution outside of the exceptions in §§1016.14 and 1016.15:

(i) You may use that list for your own purposes; and

(ii) You may disclose that list to another nonaffiliated third party only if the financial institution from which you purchased the list could have lawfully disclosed the list to that third party. That is, you may disclose the list in accordance with the privacy policy of the financial institution from which you received the list, as limited by the opt out direction of each consumer whose nonpublic personal information you intend to disclose, and you may disclose the list in accordance with an exception in §1016.14 or §1016.15, such as to your attorneys or accountants.

(c) Information you disclose under an exception. If you disclose nonpublic personal information to a nonaffiliated third party under an exception in §1016.14 or §1016.15 of this part, the third party may disclose and use that information only as follows:

(1) The third party may disclose the information to your affiliates;

(2) The third party may disclose the information to its affiliates, but its affiliates may, in turn, disclose and use the information only to the extent that the third party may disclose and use the information; and

(3) The third party may disclose and use the information pursuant to an exception in §1016.14 or §1016.15 in the ordinary course of business to carry out the activity covered by the exception under which it received the information.

(d) Information you disclose outside of an exception. If you disclose nonpublic personal information to a nonaffiliated third party other than under an exception in §1016.14 or §1016.15 of this part, the third party may disclose the information only:

(1) To your affiliates;

(2) To its affiliates, but its affiliates, in turn, may disclose the information only to the extent the third party can disclose the information; and

(3) To any other person, if the disclosure would be lawful if you made it directly to that person.


Tried the LawStack mobile app?

Join thousands and try LawStack mobile for FREE today.

  • Carry the law offline, wherever you go.
  • Download CFR, USC, rules, and state law to your mobile device.