Can I share personal information about my customers with third parties in Rhode Island? What are the requirements?

Sharing Personal Information with Third Parties in Rhode Island

Rhode Island law prohibits a licensee from disclosing any nonpublic personal financial information about a consumer to a nonaffiliated third party unless certain conditions are met ^[1.1].

Conditions for Disclosure

A licensee may disclose nonpublic personal financial information about a consumer to a nonaffiliated third party only if:

1. The licensee has provided to the consumer an initial notice as required under § 7.5 of this Part;
2. The licensee has provided to the consumer an opt-out notice as required in § 7.8 of this Part;
3. The licensee has given the consumer a reasonable opportunity, before it discloses the information to the nonaffiliated third party, to opt out of the disclosure; and
4. The consumer does not opt out ^[1.1].

Exceptions to Opt-Out Requirements

There are exceptions to the opt-out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing ^[1.3] and other exceptions to notice and opt-out requirements for disclosure of nonpublic personal financial information ^[1.4].

Annual Privacy Notice

A licensee must provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship ^[1.5].

Information To Be Included In Privacy Notices

The initial, annual and revised privacy notices that a licensee provides under §§ 7.5, 7.6 and 7.9 of this Part shall include each of the following items of information, in addition to any other information the licensee wishes to provide, that applies to the licensee and to the consumers to whom the licensee sends its privacy notice:

1. The categories of nonpublic personal financial information that the licensee collects;
2. The categories of nonpublic personal financial information that the licensee discloses;
3. The categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information, other than those parties to whom the licensee discloses information under §§ 7.16 and 7.17 of this Part;
4. The categories of nonpublic personal financial information about the licensee’s former customers that the licensee discloses and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information about the licensee’s former customers, other than those parties to whom the licensee discloses information under §§ 7.16 and 7.17 of this Part;
5. If a licensee discloses nonpublic personal financial information to a nonaffiliated third party under § 7.15 of this Part (and no other exception in §§ 7.16 and 7.17 of this Part applies to that disclosure), a separate description of the categories of information the licensee discloses and the categories of third parties with whom the licensee has contracted;
6. An explanation of the consumer’s right under § 7.12(A) of this Part to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties, including the methods by which the consumer may exercise that right at that time;
7. Any disclosures that the licensee makes under Section 603(d)(2)(A)(iii) of the federal Fair Credit Reporting Act (15 U.S.C. § 1681a(d)(2)(A)(iii)) (that is, notices regarding the ability to opt out of disclosures of information among affiliates);
8. The licensee’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal financial information; and
9. Any disclosure that the licensee makes under § 7.7(B) of this Part ^[1.2].

Based on the above, it is clear that Rhode Island law imposes strict requirements on the sharing of personal information with third parties. A licensee must provide an initial notice, an opt-out notice, and a reasonable opportunity to opt-out before disclosing any nonpublic personal financial information about a consumer to a nonaffiliated third party. There are exceptions to these requirements, but they are limited. A licensee must also provide an annual privacy notice to customers and is subject to limits on redisclosure and reuse of nonpublic personal financial information. Therefore, you can share personal information about your customers with third parties in Rhode Island only if you meet the above conditions and requirements.

Source(s):

• [1.1] Limits on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties
• [1.2] Information To Be Included In Privacy Notices
• [1.3] Exception to Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Service Providers and Joint Marketing
• [1.4] Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information
• [1.5] Annual Privacy Notice to Customers Required

Jurisdiction

Rhode Island

• Privacy