Can I share personal information about my customers with third parties in Tennessee? What are the requirements?

Sharing Personal Information with Third Parties in Tennessee

In Tennessee, you may share personal information about your customers with third parties under certain conditions. The Tennessee Nonpublic Personal Information Protection Act (NPIPA) ^[1.1] sets out the requirements for sharing nonpublic personal information with nonaffiliated third parties.

Conditions for Disclosure

Under the NPIPA, a licensee may not disclose any nonpublic personal information about a consumer to a nonaffiliated third party unless:

1. The licensee has provided the consumer with an initial notice as required under Section 0780-1-72-.05 of the NPIPA ^[1.1].
2. The licensee has provided the consumer with an opt-out notice as required in Section 0780-1-72-.08 of the NPIPA ^[1.1].
3. The licensee has given the consumer a reasonable opportunity, before it discloses the information to the nonaffiliated third party, to opt out of the disclosure.
4. The consumer does not opt out.

Opt-Out Definition

Opt-out means a direction by the consumer that the licensee not disclose nonpublic personal information about that consumer to a nonaffiliated third party, other than as permitted by Sections 0780-1-72-.14, 0780-1-72-.15, and 0780-1-72-.16 of the NPIPA ^[1.1].

Reasonable Opportunity to Opt-Out

A licensee provides a consumer with a reasonable opportunity to opt-out if:

1. By mail. The licensee mails the notices required in Paragraph (a) of Section 0780-1-72-.11 of the NPIPA to the consumer and allows the consumer to opt-out by mailing a form, calling a toll-free telephone number, or any other reasonable means within thirty (30) days from the date the licensee mailed the notices.
2. By electronic means. A customer opens an online account with a licensee and agrees to receive the notices required in Paragraph (a) of Section 0780-1-72-.11 of the NPIPA electronically, and the licensee allows the customer to opt-out by any reasonable means within thirty (30) days after the date that the customer acknowledges receipt of the notices in conjunction with opening the account.
3. Isolated transaction with consumer. For an isolated transaction such as providing the consumer with an insurance quote, a licensee provides the consumer with a reasonable opportunity to opt-out if the licensee provides the notices required in Paragraph (a) of Section 0780-1-72-.11 of the NPIPA at the time of the transaction and requests that the consumer decide, as a necessary part of the transaction, whether to opt-out before completing the transaction.

Exceptions to Opt-Out Requirements

There are exceptions to the opt-out requirements for disclosure of nonpublic personal information for service providers and joint marketing ^[1.3], processing and servicing transactions ^[1.6], and redisclosure and reuse of nonpublic personal information ^[1.5].

In general, the opt-out requirements do not apply when a licensee provides nonpublic personal information to a nonaffiliated third party to perform services for the licensee or functions on the licensee’s behalf, if the licensee provides the initial notice and enters into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information ^[1.3].

The requirements for initial notice, opt-out, and service providers and joint marketing do not apply if the licensee discloses nonpublic personal information as necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes ^[1.6].

If a licensee receives nonpublic personal information from a nonaffiliated financial institution under an exception in Sections 0780-1-72-.15 or 0780-1-72-.16 of the NPIPA, the licensee’s disclosure and use of that information is limited ^[1.5].

Other Exceptions to Notice and Opt-Out Requirements

Exceptions to the opt-out requirements include:

1. With the consent or at the direction of the consumer, provided that the consumer has not revoked the consent or direction.
2. To protect the confidentiality or security of a licensee’s records pertaining to the consumer, service, product or transaction.
3. To protect against or prevent actual or potential fraud or unauthorized transactions.
4. For required institutional risk control or for resolving consumer disputes or inquiries.
5. To persons holding a legal or beneficial interest relating to the consumer.
6. To persons acting in a fiduciary or representative capacity on behalf of the consumer.
7. To provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating a licensee, persons that are assessing the licensee’s compliance with industry standards, and the licensee’s attorneys, accountants and auditors.
8. To comply with federal, state or local laws, rules and other applicable legal requirements.
9. To comply with a properly authorized civil, criminal or regulatory investigation, or subpoena or summons by federal, state or local authorities.
10. To respond to judicial process or government regulatory authorities having jurisdiction over a licensee for examination, compliance or other purposes as authorized by law.
11. For purposes related to the replacement of a group benefit plan, a group health plan, a group welfare plan or a workers’ compensation plan ^[1.2].

Annual Privacy Notices to Customers Required

A licensee shall provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship. A licensee may define the twelve (12) consecutive month period, but the licensee shall apply it to the customer on a consistent basis ^[1.4].

Conclusion

In summary, you may share personal information about your customers with third parties in Tennessee under certain conditions. You must provide the consumer with an initial notice, an opt-out notice, and a reasonable opportunity to opt-out. There are exceptions to the opt-out requirements for disclosure of nonpublic personal information for service providers and joint marketing, processing and servicing transactions, and redisclosure and reuse of nonpublic personal information. Other exceptions to notice and opt-out requirements include consent or direction of the consumer, protection of confidentiality or security of licensee’s records, prevention of fraud or unauthorized transactions, and compliance with legal requirements. Additionally, you must provide annual privacy notices to customers.

Source(s):

• [1.1] LIMITS ON DISCLOSURE OF NONPUBLIC PERSONAL INFORMATION TO NONAFFILIATED THIRD PARTIES
• [1.2] OTHER EXCEPTIONS TO NOTICE AND OPT OUT REQUIREMENTS FOR DISCLOSURE OF NONPUBLIC PERSONAL INFORMATION
• [1.3] EXCEPTION TO OPT OUT REQUIREMENTS FOR DISCLOSURE OF NONPUBLIC PERSONAL INFORMATION FOR SERVICE PROVIDERS AND JOINT MARKETING
• [1.4] ANNUAL PRIVACY NOTICES TO CUSTOMERS REQUIRED
• [1.5] LIMITS ON REDISCLOSURE AND REUSE OF NONPUBLIC PERSONAL INFORMATION
• [1.6] EXCEPTIONS TO NOTICE AND OPT OUT REQUIREMENTS FOR DISCLOSURE OF NONPUBLIC PERSONAL INFORMATION FOR PROCESSING AND SERVICING TRANSACTIONS

Jurisdiction

Tennessee

• Privacy