Can I share personal information about my customers with third parties in Colorado? What are the requirements?

Sharing Personal Information with Third Parties in Colorado

If you are a licensee in Colorado, you may share nonpublic personal financial information about a consumer to a nonaffiliated third party only if you meet the following requirements:

1. You have provided the consumer with an initial notice as required under Section 5 ^[1.2];
2. You have provided the consumer with an opt-out notice as required in Section 8 ^[1.2];
3. You have given the consumer a reasonable opportunity, before it discloses the information to the nonaffiliated third party, to opt out of the disclosure; and
4. The consumer does not opt out.

You must comply with these requirements regardless of whether you and the consumer have established a customer relationship ^[1.1].

Exceptions to Opt-Out Requirements

There are exceptions to the opt-out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing ^[1.3], and for processing and servicing transactions ^[1.5]. However, if you disclose nonpublic personal financial information to a nonaffiliated third party under an exception, the third party may disclose and use that information only as specified in Sections 13 and 14 of the regulation ^[1.6][1.9].

Limits on Redisclosure and Reuse of Nonpublic Personal Financial Information

If you receive nonpublic personal financial information from a nonaffiliated financial institution under an exception, your disclosure and use of that information is limited ^[1.6]. If you receive nonpublic personal financial information from a nonaffiliated financial institution other than under an exception, you may disclose the information only as specified in Section 13 of the regulation ^[1.6].

Limits on Sharing Account Number Information for Marketing Purposes

You shall not, directly or through an affiliate, disclose, other than to a consumer reporting agency, a policy number or similar form of access number or access code for a consumer’s policy or transaction account to any nonaffiliated third party for use in telemarketing, direct mail marketing or other marketing through electronic mail to the consumer ^[1.9].

Annual Privacy Notice to Customers Required

A licensee shall provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship ^[1.2].

Conclusion

In summary, you may share personal information about your customers with third parties in Colorado only if you meet the requirements specified in Section 12 of the regulation ^[1.1]. There are exceptions to the opt-out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing ^[1.3], and for processing and servicing transactions ^[1.5]. However, if you disclose nonpublic personal financial information to a nonaffiliated third party under an exception, the third party may disclose and use that information only as specified in Sections 13 and 14 of the regulation ^[1.6][1.9]. You must also provide an annual privacy notice to customers ^[1.2].

Source(s):

• [1.1] Limits on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties
• [1.2] Annual Privacy Notice to Customers Required
• [1.3] Exception to Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Service Providers and Joint Marketing
• [1.5] Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Processing and Servicing Transactions
• [1.6] Limits on Redisclosure and Reuse of Nonpublic Personal Financial Information
• [1.9] Limits on Sharing Account Number Information for Marketing Purposes

Jurisdiction

Colorado

• Privacy