Pennsylvania Code
Pennsylvania Code & Bulletin
COMMONWEALTH OF PENNSYLVANIA

• No statutes or acts will be found at this website.

The Pennsylvania Code website reflects the Pennsylvania Code changes effective through 54 Pa.B. 488 (January 27, 2024).

Pennsylvania Code



Subchapter C. LIMITS ON DISCLOSURES OF FINANCIAL INFORMATION


Sec.


146a.21.    Limitation on disclosure of nonpublic personal financial information to nonaffiliated third parties.
146a.22.    Limits on redisclosure and reuse of nonpublic personal financial information.
146a.23.    Limits on sharing account number information for marketing purposes.

Cross References

   This subchapter cited in 31 Pa. Code §  146a.2 (relating to definitions).

§ 146a.21. Limits on disclosure of nonpublic personal financial information to nonaffiliated third parties.

 (a)  Conditions for disclosure. Except as otherwise authorized in this chapter, a licensee may not, directly or through an affiliate, disclose nonpublic personal financial information about a consumer to a nonaffiliated third party unless all of the following conditions are met:

   (1)  The licensee has provided to the consumer an initial notice as required under §  146a.11 (relating to initial privacy notice to consumers required).

   (2)  The licensee has provided to the consumer an opt out notice as required in §  146a.14 (relating to form of opt out notice to consumers and opt out methods).

   (3)  The licensee has given the consumer a reasonable opportunity, before it discloses the information to the nonaffiliated third party, to opt out of the disclosure.

   (4)  The consumer does not opt out.

 (b)  Opt out definition. Opt out means a direction by the consumer that the licensee not disclose nonpublic personal financial information about that consumer to a nonaffiliated third party, other than as permitted by Subchapter D (relating to exceptions to limits on disclosure of nonpublic personal financial information).

 (c)  Examples of reasonable opportunity to opt out. A licensee provides a consumer with a reasonable opportunity to opt out if:

   (1)  By mail. The licensee mails the notices required in subsection (a) to the consumer and allows the consumer to opt out by mailing a form, calling a toll-free telephone number or any other reasonable means within 30 days from the date the licensee mailed the notices.

   (2)  By electronic means. A customer opens an online account with a licensee and agrees to receive the notices required in subsection (a) electronically, and the licensee allows the customer to opt out by any reasonable means within 30 days after the date that the customer acknowledges receipt of the notices in conjunction with opening the account.

   (3)  Isolated transaction with consumer. For an isolated transaction such as providing the consumer with an insurance quote, a licensee provides the consumer with a reasonable opportunity to opt out if the licensee provides the notices required in subsection (a) at the time of the transaction and requests that the consumer decide, as a necessary part of the transaction, whether to opt out before completing the transaction.

 (d)  Application of opt out to all consumers and all nonpublic personal financial information.

   (1)  A licensee shall comply with this section, regardless of whether the licensee and the consumer have established a customer relationship.

   (2)  Unless a licensee complies with this section, the licensee may not, directly or through an affiliate, disclose nonpublic personal financial information about a consumer that the licensee has collected, regardless of whether the licensee collected it before or after receiving the direction to opt out from the consumer.

 (e)  Partial opt out. A licensee may allow a consumer to select certain nonpublic personal financial information or certain nonaffiliated third parties with respect to which the consumer wishes to opt out.

Cross References

   This section cited in 31 Pa. Code §  146a.13 (relating to information to be included in privacy notices); 31 Pa. Code §  146a.14 (relating to form of opt out notice to consumers and opt out methods); 31 Pa. Code §  146a.31 (relating to exception to opt out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing); 31 Pa. Code §  146a.32 (relating to exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information for processing and servicing); and 31 Pa. Code §  146a.33 (relating to other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information).

§ 146a.22. Limits on redisclosure and reuse of nonpublic personal financial information.

 (a)  Information the licensee receives under an exception.

   (1)  If a licensee receives nonpublic personal financial information from a nonaffiliated financial institution under an exception in §  146a.32 or §  146a.33 (relating to exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information for processing and servicing transactions; and other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information), the licensee’s disclosure and use of that information is limited as follows:

     (i)   The licensee may disclose the information to the affiliates of the financial institution from which the licensee received the information.

     (ii)   The licensee may disclose the information to its affiliates, but the licensee’s affiliates may, in turn, disclose and use the information only to the extent that the licensee may disclose and use the information.

     (iii)   The licensee may disclose and use the information under an exception in §  146a.32 or §  146a.33, in the ordinary course of business to carry out the activity covered by the exception under which the licensee received the information.

   (2)  Example. If a licensee receives information from a nonaffiliated financial institution for claims settlement purposes, the licensee may disclose the information for fraud prevention, or in response to a properly authorized subpoena. The licensee may not disclose that information to a nonaffiliated third party for marketing purposes or use that information for its own marketing purposes.

 (b)  Information a licensee receives outside of an exception.

   (1)  If a licensee receives nonpublic personal financial information from a nonaffiliated financial institution other than under an exception in §  146a.32 or §  146a.33, the licensee may disclose the information only:

     (i)   To the affiliates of the financial institution from which the licensee received the information.

     (ii)   To its affiliates, but its affiliates may, in turn, disclose the information only to the extent that the licensee may disclose the information.

     (iii)   To any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which the licensee received the information.

   (2)  Example. If a licensee obtains a customer list from a nonaffiliated financial institution outside of the exceptions in §  146a.32 or §  146a.33 the licensee may do the following:

     (i)   Use that list for its own purposes.

     (ii)   Disclose that list to another nonaffiliated third party only if the financial institution from which the licensee purchased the list could have lawfully disclosed the list to that nonaffiliated third party. That is, the licensee may disclose the list in accordance with the privacy policy of the financial institution from which the licensee received the list, as limited by the opt out direction of each consumer whose nonpublic personal financial information the licensee intends to disclose, and the licensee may disclose the list in accordance with an exception in §  146a.32 or §  146a.33, such as to the licensee’s attorneys or accountants.

 (c)  Information a licensee discloses under an exception. If a licensee discloses nonpublic personal financial information to a nonaffiliated third party under an exception in §  146a.32 or §  146a.33, the nonaffiliated third party may disclose and use that information only as follows:

   (1)  The nonaffiliated third party may disclose the information to the licensee’s affiliates.

   (2)  The nonaffiliated third party may disclose the information to its affiliates, but its affiliates may, in turn, disclose and use the information only to the extent that the nonaffiliated third party may disclose and use the information.

   (3)  The nonaffiliated third party may disclose and use the information under an exception in §  146a.32 or §  146a.33, in the ordinary course of business to carry out the activity covered by the exception under which the licensee received the information.

 (d)  Information a licensee discloses outside of an exception. If a licensee discloses nonpublic personal financial information to a nonaffiliated third party other than under an exception in §  146a.32 or §  146a.33, the nonaffiliated third party may disclose the information only:

   (1)  To the licensee’s affiliates.

   (2)  To the nonaffiliated third party’s affiliates, but the nonaffiliated third party’s affiliates, in turn, may disclose the information only to the extent the nonaffiliated third party can disclose the information.

   (3)  To any other person, if the disclosure would be lawful if the licensee made it directly to that person.

§ 146a.23. Limits on sharing account number information for marketing purposes.

 (a)  General prohibition on disclosure of account numbers. A licensee may not, directly or through an affiliate, disclose, other than to a consumer reporting agency, a policy number or similar form of access number or access code for a consumer’s policy or transaction account to any nonaffiliated third party for use in telemarketing, direct mail marketing or other marketing through electronic mail to the consumer.

 (b)  Exceptions. Subsection (a) does not apply if a licensee discloses a policy number or similar form of access number or access code to any of the following:

   (1)  The licensee’s service provider solely in order to perform marketing for the licensee’s own products or services, as long as the service provider is not authorized to directly initiate charges to the account.

   (2)  A licensee who is a producer solely in order to perform marketing for the licensee’s own products or services.

   (3)  A participant in an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program.

 (c)  Examples.

   (1)  Policy number. A policy number, or similar form of access number or access code, does not include a number or code in an encrypted form, as long as the licensee does not provide the recipient with a means to decode the number or code.

   (2)  Policy or transaction account. For the purposes of this section, a policy or transaction account is an account other than a deposit account or a credit card account. A policy or transaction account does not include an account to which third parties cannot initiate charges.


No part of the information on this site may be reproduced for profit or sold for profit.


This material has been drawn directly from the official Pennsylvania Code full text database. Due to the limitations of HTML or differences in display capabilities of different browsers, this version may differ slightly from the official printed version.