(a) Purpose. This part governs the treatment of nonpublic personal information about consumers by the financial institutions listed in paragraph (b) of this section. This part:
(1) Requires a financial institution to provide notice to customers about its privacy policies and practices;
(2) Describes the conditions under which a financial institution may disclose nonpublic personal information about consumers to nonaffiliated third parties; and
(3) Provides a method for consumers to prevent a financial institution from disclosing that information to most nonaffiliated third parties by “opting out” of that disclosure, subject to the exceptions in §§1016.13, 1016.14, and 1016.15.
(b) Scope.
(1) This part applies only to nonpublic personal information about individuals who obtain financial products or services primarily for personal, family, or household purposes from the institutions listed below. This part does not apply to information about companies or about individuals who obtain financial products or services for business, commercial, or agricultural purposes. This part applies to those financial institutions and other persons for which the Bureau of Consumer Financial Protection (Bureau) has rulemaking authority pursuant to section 504(a)(1)(A) of the Gramm-Leach-Bliley Act (GLB Act) (15 U.S.C. 6804(a)(1)(A)). Specifically, this part applies to any financial institution and other covered person or service provider that is subject to Subtitle A of Title V of the GLB Act, including third parties that are not financial institutions but that receive nonpublic personal information from financial institutions with whom they are not affiliated. This part does not apply to certain motor vehicle dealers described in 12 U.S.C. 5519 or to entities for which the Securities and Exchange Commission or the Commodity Futures Trading Commission has rulemaking authority pursuant to sections 504(a)(1)(A)-(B) of the GLB Act (15 U.S.C. 6804(a)(1)(A)-(B)). Except as otherwise specifically provided herein, entities to which this part applies are referred to in this part as “you.”
(2)
(i) Nothing in this part modifies, limits, or supersedes the standards governing individually identifiable health information promulgated by the Secretary of Health and Human Services under the authority of sections 262 and 264 of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d-1320d-8).
(ii) Any institution of higher education that complies with the Federal Educational Rights and Privacy Act (FERPA), 20 U.S.C. 1232g, and its implementing regulations, 34 CFR part 99, and that is also a financial institution described in §1016.3(l)(3) of this part, shall be deemed to be in compliance with this part if it is in compliance with FERPA.
(3) Nothing in this part shall apply to:
(i) A financial institution that is a person described in section 1029(a) of the Consumer Financial Protection Act of 2010, title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act), Public Law 111-203, 124 Stat. 1376 (12 U.S.C. 5519(a));
(ii) A financial institution or other person subject to the jurisdiction on the Commodity Futures Trading Commission under 7 U.S.C. 7b-2;
(iii) A broker or dealer that is registered under the Securities Exchange Act of 1934 (15 U.S.C. 78a et seq.;)
(iv) A registered investment adviser, properly registered by or on behalf of either the Securities Exchange Commission or any state, with respect to its investment advisory activities and its activities incidental to those investment advisory activities;
(v) An investment company that is registered under the Investment Company Act of 1940 (15 U.S.C. 80a-1 et seq.;) or
(vi) An insurance company, with respect to its insurance activities and its activities incidental to those insurance activities, that is subject to supervision by a state insurance regulator.
[76 FR 79028, Dec. 21, 2011, as amended at 79 FR 64081, Oct. 28, 2014]