Can I share personal information about my customers with third parties in Utah? What are the requirements?

Sharing Personal Information with Third Parties in Utah

In Utah, you may share personal information about your customers with third parties only if certain conditions are met ^[1.1]. These conditions include:

1. Providing the customer with an initial notice as required under Section 5.
2. Providing the customer with an opt-out notice as required in Section 8.
3. Giving the customer a reasonable opportunity, before disclosing the information to the nonaffiliated third party, to opt out of the disclosure.
4. The customer does not opt out.

A customer provides a reasonable opportunity to opt out if:

1. By mail. You mail the notices required in Subsection R590-206-12(1)(a) to the customer and allow the customer to opt out by mailing a form, calling a toll-free telephone number, or any other reasonable means within 30 days from the date you mailed the notices.
2. By electronic means. A customer opens an online account with you and agrees to receive the notices required in Subsection R590-206-12(1)(a) electronically, and you allow the customer to opt out by any reasonable means within 30 days after the date that the customer acknowledges receipt of the notices in conjunction with opening the account.
3. Isolated transaction with customer. For an isolated transaction such as providing the customer with an insurance quote, you provide the customer with a reasonable opportunity to opt out if you provide the notices required in Subsection R590-206-12(1)(a) at the time of the transaction and request that the customer decide, as a necessary part of the transaction, whether to opt out before completing the transaction.

You must comply with this section, regardless of whether you and the customer have established a customer relationship ^[1.1].

Information to be Included in Privacy Notices

The initial, annual, and revised privacy notices that you provide under Sections 5, 6, and 9 shall include each of the following items of information, in addition to any other information you wish to provide, that applies to you and to the customers to whom you send your privacy notice ^[1.3]:

1. The categories of nonpublic personal financial information that you collect.
2. The categories of nonpublic personal financial information that you disclose.
3. The categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal financial information, other than those parties to whom you disclose information under Sections 16 and 17.
4. The categories of nonpublic personal financial information about your former customers that you disclose and the categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal financial information about your former customers, other than those parties to whom you disclose information under Sections 16 and 17.
5. An explanation of the customer’s right under Subsection R590-206-12(1) to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties, including the methods by which the customer may exercise that right at that time.
6. Any disclosures that you make under Section 603(d)(2)(A)(iii) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)) (that is, notices regarding the ability to opt out of disclosures of information among affiliates).
7. Your policies and practices with respect to protecting the confidentiality and security of nonpublic personal information.

Limits on Redisclosure and Reuse of Nonpublic Personal Financial Information

If you receive nonpublic personal financial information from a nonaffiliated financial institution under an exception in Sections 16 and 17 of the rule, your disclosure and use of that information is limited ^[1.6]. You may disclose the information to the affiliates of the financial institution from which you received the information. You may also disclose the information to your affiliates, but your affiliates may, in turn, disclose and use the information only to the extent that you yourself may disclose and use the information ^[1.6].

Annual Privacy Notice to Customers Required

You shall provide a clear and conspicuous notice to customers that accurately reflects your privacy policies and practices not less than annually during the continuation of the customer relationship ^[1.2]. You may define the 12 consecutive month period, but you shall apply it to the customer on a consistent basis. You provide a notice annually if you define the 12 consecutive month period as a calendar year and provide the annual notice to the customer once in each calendar year following the calendar year in which you provided the initial notice ^[1.2].

Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information

The requirements for initial notice to customers in Subsection R590-206-5(1)(b), the opt out in Sections 8 and 12, and service providers and joint marketing in Section 15 do not apply when you disclose nonpublic personal financial information ^[1.4]:

1. With the consent or at the direction of the customer, provided that the customer has not revoked the consent or direction.
2. To protect the confidentiality or security of your records pertaining to the customer, service, product or transaction.
3. To protect against or prevent actual or potential fraud or unauthorized transactions.
4. For required institutional risk control or for resolving customer disputes or inquiries.
5. To persons holding a legal or beneficial interest relating to the customer.
6. To persons acting in a fiduciary or representative capacity on behalf of the customer.
7. To provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating you, persons that are assessing your compliance with industry standards, and your attorneys, accountants and auditors.
8. To the extent specifically permitted or required under other provisions of law and in accordance with the federal Right to Financial Privacy Act of 1978 (12 U.S.C. 3401 et seq.), to law enforcement agencies (including the Federal Reserve Board, Office of the Comptroller of the Currency, Federal Deposit Insurance Corporation, Office of Thrift Supervision, National Credit Union Administration, the Securities and Exchange Commission, the Secretary of the Treasury, with respect to 31 U.S.C. Chapter 53, Subchapter II (Records and Reports on Monetary Instruments and Transactions) and 12 U.S.C. Chapter 21, Financial Record keeping, a state insurance authority, and the Federal Trade Commission), self-regulatory organizations or for an investigation on a matter related to public safety.
9. To a consumer reporting agency in accordance with the federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.), or from a consumer report reported by a consumer reporting agency.
10. In connection with a proposed or actual sale, merger, transfer or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal financial information concerns solely customers of the business or unit.
11. To comply with federal, state or local laws, rules and other applicable legal requirements.
12. To comply with a properly authorized civil, criminal or regulatory investigation, or subpoena or summons by federal, state or local authorities.
13. To respond to judicial process or government regulatory authorities having jurisdiction over you for examination, compliance or other purposes as authorized by law.
14. For purposes related to the replacement of a group benefit plan, a group health plan, a group welfare plan or a workers’ compensation policy.

Exception to Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Service Providers and Joint Marketing

The opt out requirements in Sections 8 and 12 do not apply when you provide nonpublic personal financial information to a nonaffiliated third party to perform services for you or functions on your behalf, if you ^[1.5]:

1. Provide the initial notice in accordance with Section 5.
2. Enter into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which you disclosed the information, including use under an exception in Sections 16 and 17 in the ordinary course of business to carry out those purposes.

The services a nonaffiliated third party performs for you may include marketing of your own products or services or marketing of financial products or services offered pursuant to joint agreements between you and one or more financial institutions ^[1.5].

Use of Personally Identifiable Information

Any personally identifiable information an individual provides to a State website shall be used solely by the State, its entities, and third party agents with whom it has contracted to perform a state function on its behalf, unless this rule is superseded by a federal statute, federal regulation, or State statute in which case the personally identifiable information shall be used by other parties only to the extent required by the superseding federal statute, federal regulation or State Statute, or the information is designated as public record by an individual State agency as authorized under Title 63G, Chapter 2 of the Utah Code, Government Records Access and Management Act ^[2.1][3.1].

In conclusion, you may share personal information about your customers with third parties in Utah only if certain conditions are met, including providing the customer with an initial notice and an opt-out notice, and giving the customer a reasonable opportunity to opt out of the disclosure. You must also include certain information in your privacy notices, including an explanation of the customer’s right to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties. If you receive nonpublic personal financial information from a nonaffiliated financial institution, your disclosure and use of that information is limited. You shall provide a clear and conspicuous notice to customers that accurately reflects your privacy policies and practices not less than annually during the continuation of the customer relationship. There are exceptions to notice and opt-out requirements for disclosure of nonpublic personal financial information, including for service providers and joint marketing. Any personally identifiable information an individual provides to a State website shall be used solely by the State, its entities, and third party agents with whom it has contracted to perform a state function on its behalf, unless superseded by a federal statute, federal regulation, or State statute or designated as public record by an individual State agency.

Source(s):

• [1.1] Limitations on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties.
• [1.2] Annual Privacy Notice to Customers Required.
• [1.3] Information to be Included in Privacy Notices.
• [1.4] Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information.
• [1.5] Exception to Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Service Providers and Joint Marketing.
• [2.1] Use of Personally Identifiable Information.
• [3.1] Use of Personally Identifiable Information.
• [1.6] Limits on Redisclosure and Reuse of Nonpublic Personal Financial Information.

Jurisdiction

Utah

• Privacy