Pennsylvania Code
Pennsylvania Code & Bulletin
COMMONWEALTH OF PENNSYLVANIA

• No statutes or acts will be found at this website.

The Pennsylvania Code website reflects the Pennsylvania Code changes effective through 54 Pa.B. 488 (January 27, 2024).

Pennsylvania Code



Subchapter D. EXCEPTIONS TO LIMITS ON DISCLOSURES OF NONPUBLIC PERSONAL FINANCIAL INFORMATION


Sec.


146a.31.    Exception to opt out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing.
146a.32.    Exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information for processing and servicing transactions.
146a.33.    Other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information.

Cross References

   This subchapter cited in 31 Pa. Code §  146a.2 (relating to definitions); 31 Pa. Code §  146a.15 (relating to revised privacy notices); and 31 Pa. Code §  146a.21 (relating to limits on disclosure of nonpublic personal financial information of nonaffiliated third parties).

§ 146a.31. Exception to opt out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing.

 (a)  General rule.

   (1)  Opt out requirements. The opt out requirements in § §  146a.14 and 146a.21 (relating to form of opt out notice to consumers and opt out methods; and limitation on disclosure of nonpublic personal financial information to nonaffiliated third parties) do not apply when a licensee provides nonpublic personal financial information to a nonaffiliated third party to perform services for the licensee or functions on the licensee’s behalf, if the licensee meets both of the following conditions:

     (i)   Provides the initial notice in accordance with §  146a.11 (relating to initial privacy notice to consumers required).

     (ii)   Enters into a contractual agreement with the nonaffiliated third party that prohibits the nonaffiliated third party from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information, including use under an exception in §  146a.32 or §  146a.33 (relating to exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information for processing and servicing transactions; and other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information) in the ordinary course of business to carry out those purposes.

   (2)  Example. If a licensee discloses nonpublic personal financial information under this section to a financial institution with which the licensee performs joint marketing, the licensee’s contractual agreement with that institution meets the requirements of paragraph (1) if it prohibits the institution from disclosing or using the nonpublic personal financial information except as necessary to carry out the joint marketing or under an exception in §  146a.32 or §  146a.33 in the ordinary course of business to carry out that joint marketing.

 (b)  Service may include joint marketing. The services a nonaffiliated third party performs for a licensee under subsection (a) may include marketing of the licensee’s own products or services or marketing of financial products or services offered under joint agreements between the licensee and one or more financial institutions.

 (c)  Definition of ‘‘joint agreement.’’ For purposes of this section, ‘‘joint agreement’’ means a written contract under which a licensee and one or more financial institutions jointly offer, endorse or sponsor a financial product or service.

Cross References

   This section cited in 31 Pa. Code §  146a.2 (relating to definitions); 31 Pa. Code §  146a.12 (relating to annual privacy notice to customers required); 31 Pa. Code §  146a.13 (relating to information to be included in privacy notices); 31 Pa. Code §  146a.32 (relating to exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information for processing and servicing transactions); 31 Pa. Code §  146a.33 (relating to other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information); and 31 Pa. Code §  146a.44 (relating to effective date).

§ 146a.32. Exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information for processing and servicing transactions.

 (a)  Exceptions for processing transactions at consumer’s request. The requirements for initial notice in §  146a.11(a)(2) (relating to initial privacy notice to consumers required), the opt out in § §  146a.14 and 146a.21 (relating to form of opt out notice to consumers and opt out methods; and limitation on disclosure of nonpublic personal financial information to nonaffiliated third parties), and service providers and joint marketing in §  146a.31 (relating to exception to opt out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing) do not apply if the licensee discloses nonpublic personal financial information as necessary to effect, administer or enforce a transaction that a consumer requests or authorizes, or in connection with any of the following:

   (1)  Servicing or processing an insurance product or service that a consumer requests or authorizes.

   (2)  Maintaining or servicing the consumer’s account with a licensee, or with another entity as part of a private label credit card program or other extension of credit on behalf of that entity.

   (3)  A proposed or actual securitization, secondary market sale (including sales of servicing rights) or similar transaction related to a transaction of the consumer.

   (4)  Reinsurance or stop loss or excess loss insurance.

 (b)  Necessary to effect, administer or enforce a transaction. When used in this section, ‘‘necessary to effect, administer or enforce a transaction’’ means that the disclosure is required or is either of the following:

   (1)  One of the lawful or appropriate methods, to enforce the licensee’s rights or the rights of other persons engaged in carrying out the financial transaction or providing the product or service.

   (2)  A usual, appropriate or acceptable method to do one or more of the following:

     (i)   Carry out the transaction or the product or service business of which the transaction is a part, and record, service or maintain the consumer’s account in the ordinary course of providing the insurance product or service.

     (ii)   Administer or service benefits or claims relating to the transaction or the product or service business of which it is a part.

     (iii)   Provide a confirmation, explanation, statement or other record of the transaction, or information on the status or value of the insurance product or service to the consumer, the consumer’s producer, or a policyholder or the policyholder’s agent, producer, or broker with respect to a claim asserted by, or paid to, a consumer under a policy.

     (iv)   Accrue or recognize incentives or bonuses associated with the transaction that are provided by a licensee or any other party.

     (v)   Underwrite insurance at the consumer’s request or for any of the following purposes as they relate to a consumer’s insurance, or, when the consumer is a workers’ compensation claimant or third party claimant, to the policyholder’s insurance: account administration, reporting, investigating or preventing fraud or material misrepresentation, processing premium payments, processing, adjusting, paying, and settling insurance claims, administering insurance benefits (including utilization review activities), participating in research projects or as otherwise required or specifically permitted by Federal or State law.

     (vi)   Use in connection with any of the following:

       (A)   The authorization, settlement, billing, processing, clearing, transferring, reconciling or collection of amounts charged, debited or otherwise paid using a debit, credit or other payment card, check or account number, or by other payment means.

       (B)   The transfer of receivables, accounts or interests therein.

       (C)   The audit of debit, credit or other payment information.

Cross References

   This section cited in 31 Pa. Code §  146a.2 (relating to definitions); 31 Pa. Code §  146a.11 (relating to initial privacy notice to consumers required); 31 Pa. Code §  146a.12 (relating to annual privacy notice to customers required); 31 Pa. Code §  146a.13 (relating to information to be included in privacy notices); and 31 Pa. Code §  146a.22 (relating to limits on redisclosure and reuse of nonpublic personal financial information).

§ 146a.33. Other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information.

 (a)  Exceptions to opt out requirements. The requirements for initial notice to consumers in §  146a.11(a)(2) (relating to initial privacy notice to consumers required) the opt out in § §  146a.14 and 146a.21 (relating to form of opt out notice to consumers and opt out methods; and limitation on disclosure of nonpublic personal financial information to nonaffiliated third parties), and service providers and joint marketing in §  146a.31 (relating to exception to opt out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing) do not apply when a licensee discloses nonpublic personal financial information:

   (1)  With the consent or at the direction of the consumer, provided that the consumer has not revoked the consent or direction.

   (2)  To protect the confidentiality or security of a licensee’s records pertaining to the consumer, service, product or transaction.

   (3)  To protect against or prevent actual or potential fraud or unauthorized transactions.

   (4)  For required institutional risk control or for resolving consumer disputes or inquiries.

   (5)  To persons holding a legal or beneficial interest relating to the consumer.

   (6)  To persons acting in a fiduciary or representative capacity on behalf of the consumer.

   (7)  To provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating a licensee, persons that are assessing the licensee’s compliance with industry standards, and the licensee’s attorneys, accountants and auditors.

   (8)  To the extent specifically permitted or required under other provisions of law and in accordance with the Federal Right to Financial Privacy Act of 1978 (12 U.S.C.A. § §  3401—3422), to law enforcement agencies (including the Federal Reserve Board, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, Office of Thrift Supervision, National Credit Union Administration, the Securities and Exchange Commission, the Secretary of the Treasury, with respect to 31 U.S.C.A. Chapter 53, Subchapter II (Records and Reports on Monetary Instruments and Transactions) and 12 U.S.C.A. Chapter 21 (Financial Recordkeeping), a state insurance authority, and the Federal Trade Commission), self-regulatory organizations or for an investigation on a matter related to public safety.

   (9)  To a consumer reporting agency in accordance with the Federal Fair Credit Reporting Act (15 U.S.C.A. § §  1681—1681u), or from a consumer report reported by a consumer reporting agency.

   (10)  In connection with a proposed or actual sale, merger, transfer or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal financial information concerns solely consumers of the business or unit.

   (11)  To comply with Federal, state or local laws, rules and other applicable legal requirements.

   (12)  To comply with a properly authorized civil, criminal or regulatory investigation, or subpoena or summons by Federal, state or local authorities.

   (13)  To respond to judicial process or government regulatory authorities having jurisdiction over a licensee for examination, compliance or other purposes as authorized by law.

   (14)  For purposes related to the replacement of a group benefit plan, a group health plan, a group welfare plan or a workers’ compensation plan.

 (b)  Example of revocation of consent. A consumer may revoke consent by subsequently exercising the right to opt out of future disclosures of nonpublic personal financial information as permitted under §  146a.14(f) (relating to form of opt out notice to consumers and opt out methods).

Cross References

   This section cited in 31 Pa. Code §  146a.2 (relating to definitions); 31 Pa. Code §  146a.11 (relating to initial privacy notice to consumers required); 31 Pa. Code §  146a.12 (relating to annual privacy notice to customers required); 31 Pa. Code §  146a.13 (relating to information to be included in privacy notices); and 31 Pa. Code §  146a.22 (relating to limits on redisclosure and reuse of nonpublic personal financial information).


No part of the information on this site may be reproduced for profit or sold for profit.


This material has been drawn directly from the official Pennsylvania Code full text database. Due to the limitations of HTML or differences in display capabilities of different browsers, this version may differ slightly from the official printed version.