Can I share personal information about my customers with third parties in Pennsylvania? What are the requirements?

Here is what you need to know about sharing personal information about your customers with third parties in Pennsylvania:

Annual Privacy Notice to Customers Required ^[1.2]

As per 31 PACO Section 146a.12, a licensee must provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship. The licensee may define the 12-consecutive-month period, but the licensee shall apply it to the customer on a consistent basis. A licensee is not required to provide an annual privacy notice under this section if the licensee has not changed its policies or practices regarding disclosure of nonpublic personal financial information from those in the most recent notice sent to consumers and the disclosure of nonpublic personal financial information is made to only nonaffiliated third parties and meets certain requirements.

Limitations on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties ^[1.1]

According to 31 PACO Section 146a.21, a licensee may not disclose nonpublic personal financial information about a consumer to a nonaffiliated third party unless all of the following conditions are met:

1. The licensee has provided to the consumer an initial notice as required under § 146a.11 (relating to initial privacy notice to consumers required).
2. The licensee has provided to the consumer an opt-out notice as required in § 146a.14 (relating to form of opt-out notice to consumers and opt-out methods).
3. The licensee has given the consumer a reasonable opportunity, before it discloses the information to the nonaffiliated third party, to opt-out of the disclosure.
4. The consumer does not opt-out.

Exception to Opt-Out Requirements for Disclosure of Nonpublic Personal Financial Information for Service Providers and Joint Marketing ^[1.3]

There is an exception to the opt-out requirements for disclosure of nonpublic personal financial information to nonaffiliated third parties. According to 31 PACO Section 146a.31, the opt-out requirements do not apply when a licensee provides nonpublic personal financial information to a nonaffiliated third party to perform services for the licensee or functions on the licensee’s behalf, if the licensee meets both of the following conditions:

1. Provides the initial notice in accordance with § 146a.11 (relating to initial privacy notice to consumers required).
2. Enters into a contractual agreement with the nonaffiliated third party that prohibits the nonaffiliated third party from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information.

Limits on Redisclosure and Reuse of Nonpublic Personal Financial Information ^[1.5]

If a licensee receives nonpublic personal financial information from a nonaffiliated financial institution under an exception in § 146a.32 or § 146a.33, the licensee may not disclose the information to any other nonaffiliated third party without providing the consumer with an opt-out notice and a reasonable opportunity to opt-out of the disclosure.

Authorization Required for Disclosure of Nonpublic Personal Health Information ^[3.1]

According to 31 PACO Section 146b.11, a licensee may not disclose nonpublic personal health information about a consumer unless an authorization is obtained from the consumer whose nonpublic personal health information is sought to be disclosed. However, there are exceptions to this requirement, including for insurance functions such as claims administration, claims adjustment, underwriting, and policy placement or issuance.

Based on the above information, it appears that you may share personal information about your customers with third parties in Pennsylvania under certain conditions. If the personal information is nonpublic personal financial information, you must provide an initial notice, an opt-out notice, and a reasonable opportunity to opt-out before disclosing the information to a nonaffiliated third party, unless an exception applies. If the personal information is nonpublic personal health information, you generally need to obtain authorization from the consumer, unless an exception applies.

Please note that this is a general overview and there may be additional requirements or exceptions that apply to your specific situation. It is recommended that you consult with a legal professional for specific guidance.

Source(s):

• [1.1] Limitation on disclosure of nonpublic personal financial information to nonaffiliated third parties.
• [1.2] Annual privacy notice to customers required.
• [1.3] Exception to opt out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing.
• [3.1] Authorization required for disclosure of nonpublic personal health information.
• [1.5] Limits on redisclosure and reuse of nonpublic personal financial information.

Jurisdiction

Pennsylvania

• Privacy