Can I share personal information about my customers with third parties in Oklahoma? What are the requirements?

Yes, you may share personal information about your customers with third parties in Oklahoma, but you must comply with certain requirements.

Requirements for sharing personal information with third parties

• You must provide an initial notice to the consumer as required under Section 365:35-1-10.
• You must provide an opt-out notice to the consumer as required in Section 365:35-1-13.
• You must give the consumer a reasonable opportunity, before disclosing the information to the nonaffiliated third party, to opt out of the disclosure.
• The consumer must not opt out.

Exceptions to notice and opt-out requirements

There are several exceptions to the notice and opt-out requirements for disclosure of nonpublic personal financial information. These include:

• With the consent or at the direction of the consumer, provided that the consumer has not revoked the consent or direction.
• To protect the confidentiality or security of a licensee’s records pertaining to the consumer, service, product or transaction; to protect against or prevent actual or potential fraud or unauthorized transactions; for required institutional risk control or for resolving consumer disputes or inquiries; to persons holding a legal or beneficial interest relating to the consumer; or to persons acting in a fiduciary or representative capacity on behalf of the consumer.
• To provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating a licensee, persons that are assessing the licensee’s compliance with industry standards, and the licensee’s attorneys, accountants and auditors.
• To comply with federal, state or local laws, rules and other applicable legal requirements; to comply with a properly authorized civil, criminal or regulatory investigation, or subpoena or summons by federal, state or local authorities; or to respond to judicial process or government regulatory authorities having jurisdiction over a licensee for examination, compliance or other purposes as authorized by law.
• For purposes related to the replacement of a group benefit plan, a group health plan, a group welfare plan or a workers’ compensation plan.

Limits on redisclosure and reuse of nonpublic personal financial information

If you receive nonpublic personal financial information from a nonaffiliated financial institution under an exception, your disclosure and use of that information is limited. You may disclose the information to the affiliates of the financial institution from which you received the information, to your affiliates, and pursuant to an exception in Sections 365:35-1-31 or 32 of this regulation, in the ordinary course of business to carry out the activity covered by the exception under which you received the information.

If you receive nonpublic personal financial information from a nonaffiliated financial institution other than under an exception, you may disclose the information only to the affiliates of the financial institution from which you received the information, to your affiliates, and to any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which you received the information.

Information to be included in privacy notices

The initial, annual and revised privacy notices that you provide shall include each of the following items of information:

• The categories of nonpublic personal financial information that you collect.
• The categories of nonpublic personal financial information that you disclose.
• The categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal financial information, other than those parties to whom you disclose information under Sections 365:35-1-31 and 32.
• The categories of nonpublic personal financial information about your former customers that you disclose and the categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal financial information about your former customers, other than those parties to whom you disclose information under Sections 365:35-1-31 and 32.
• If you disclose nonpublic personal financial information to a nonaffiliated third party under Section 365:35-1-30 (and no other exception in Sections 365:35-1-31 and 32 applies to that disclosure), a separate description of the categories of information you disclose and the categories of third parties with whom you have contracted.
• An explanation of the consumer’s right under Subsection 365:35-1-20(a) to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties, including the methods by which the consumer may exercise that right at that time.
• Any disclosures that you make under Section 603(d)(2)(A)(iii) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(.

^{[1.1][1.2][1.3][1.4]}

Note that the above requirements and exceptions apply to nonpublic personal financial information. If you are sharing nonpublic personal health information, you must obtain authorization from the consumer or customer whose nonpublic personal health information is sought to be disclosed, unless an exception applies as described in Section 365:35-1-40.

Source(s):

• [1.1] Limits on disclosure of nonpublic personal financial information to nonaffiliated third parties
• [1.2] Exception to opt out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing
• [1.3] Other exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information
• [1.4] When authorization required for disclosure of nonpublic personal health information

Jurisdiction

Oklahoma

• Privacy