Can I share personal information about my customers with third parties in Idaho? What are the requirements?

Sharing Personal Information with Third Parties in Idaho

In Idaho, a licensee cannot disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party unless the licensee has provided the consumer with an initial notice, an opt-out notice, and a reasonable opportunity to opt-out of the disclosure ^[1.1]. However, there are exceptions to this rule.

Annual Privacy Notice to Customers

A licensee must provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship ^[1.2]. However, a licensee is not obligated to provide the annual privacy notice to a current customer if the licensee provides nonpublic personal information to nonaffiliated third parties only in accordance with Sections 450, 451, and 452, and has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in the most recent disclosure sent to consumers in accordance with Section 100 or Section 150 ^[1.2].

Exceptions to Opt-Out Requirements

The opt-out requirements do not apply when a licensee provides nonpublic personal financial information to a nonaffiliated third party to perform services for the licensee or functions on the licensee’s behalf, if the licensee provides the initial notice and enters into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information ^[1.4]. Additionally, the requirements for initial notice, opt-out, and service providers and joint marketing do not apply if the licensee discloses nonpublic personal financial information as necessary to effect, administer or enforce a transaction that a consumer requests or authorizes, or in connection with servicing or processing an insurance product or service that a consumer requests or authorizes, maintaining or servicing the consumer’s account with a licensee, or with another entity as part of a private label credit card program or other extension of credit on behalf of such entity, a proposed or actual securitization, secondary market sale, or similar transaction related to a transaction of the consumer, or reinsurance or stop loss or excess loss insurance ^[1.5].

Other Exceptions to Notice and Opt-Out Requirements

The requirements for initial notice to consumers, opt-out, and service providers and joint marketing do not apply when a licensee discloses nonpublic personal financial information with the consent or at the direction of the consumer, to protect the confidentiality or security of a licensee’s records pertaining to the consumer, service, product or transaction, to protect against or prevent actual or potential fraud or unauthorized transactions, for prescribed institutional risk control or for resolving consumer disputes or inquiries, to persons holding a legal or beneficial interest relating to the consumer, or to persons acting in a fiduciary or representative capacity on behalf of the consumer ^[1.3].

Limits on Redisclosure and Reuse of Nonpublic Personal Financial Information

If a licensee receives nonpublic personal financial information from a nonaffiliated financial institution, the licensee may disclose the information only to the affiliates of the financial institution from which the licensee received the information, and to its affiliates, but its affiliates may, in turn, disclose the information only to the extent that the licensee may disclose the information ^[1.7]. If a licensee discloses nonpublic personal financial information to a nonaffiliated third party, the third party may disclose that information only to the licensee’s affiliates, to the third party’s affiliates, but the third party’s affiliates, in turn, may disclose the information only to the extent the third party can disclose the information, and to any other person, if the disclosure would be lawful if the licensee made it directly to that person ^[1.7].

Disclosure of Breach of Security of Computerized Personal Information by an Agency, Individual or a Commercial Entity

A city, county or state agency, individual or a commercial entity that conducts business in Idaho and that owns or licenses computerized data that includes personal information about a resident of Idaho shall, when it becomes aware of a breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused. If the investigation determines that the misuse of information about an Idaho resident has occurred or is reasonably likely to occur, the agency, individual or the commercial entity shall give notice as soon as possible to the affected Idaho resident ^[3.1].

Conclusion

In general, a licensee in Idaho cannot disclose nonpublic personal financial information about a consumer to a nonaffiliated third party without providing the consumer with an initial notice, an opt-out notice, and a reasonable opportunity to opt-out of the disclosure. However, there are exceptions to this rule, such as when the disclosure is necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes, or when the disclosure is made to a service provider or joint marketer. Additionally, consent-based disclosure may be allowed for employment security information. A licensee must provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship. However, a licensee is not obligated to provide the annual privacy notice to a current customer if the licensee provides nonpublic personal information to nonaffiliated third parties only in accordance with Sections 450, 451, and 452, and has not changed its policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed in the most recent disclosure sent to consumers in accordance with Section 100 or Section 150.

Source(s):

• [1.1] LIMITS ON DISCLOSURE OF NONPUBLIC PERSONAL FINANCIAL INFORMATION TO NONAFFILIATED THIRD PARTIES.
• [1.2] ANNUAL PRIVACY NOTICE TO CUSTOMERS.
• [1.3] OTHER EXCEPTIONS TO NOTICE AND OPT OUT REQUIREMENTS FOR DISCLOSURE OF NONPUBLIC PERSONAL FINANCIAL INFORMATION.
• [1.4] EXCEPTION TO OPT OUT REQUIREMENTS FOR DISCLOSURE OF NONPUBLIC PERSONAL FINANCIAL INFORMATION FOR SERVICE PROVIDERS AND JOINT MARKETING.
• [1.5] EXCEPTIONS TO NOTICE AND OPT OUT REQUIREMENTS FOR DISCLOSURE OF NONPUBLIC PERSONAL FINANCIAL INFORMATION FOR PROCESSING AND SERVICING TRANSACTIONS.
• [1.7] LIMITS ON REDISCLOSURE AND REUSE OF NONPUBLIC PERSONAL FINANCIAL INFORMATION.
• [3.1] DISCLOSURE OF BREACH OF SECURITY OF COMPUTERIZED PERSONAL INFORMATION BY AN AGENCY, INDIVIDUAL OR A COMMERCIAL ENTITY.

Jurisdiction

Idaho

• Privacy