Can I store personal information about my customers in New York? What are the requirements?

Yes, you can store personal information about your customers in New York, but you must comply with the requirements set forth in the New York Codes, Rules and Regulations (NYCRR) Title 11, Chapter IV, Part 420 - Privacy of Consumer Financial and Health Information.

Annual and Initial Privacy Notices

Under 11 NYCRR 420.4, you must provide a clear and conspicuous notice that accurately reflects your privacy policies and practices to customers not later than when you establish a customer relationship. You must also provide an initial notice to a consumer before you disclose any nonpublic personal financial information about the consumer to any nonaffiliated third party, if you make such a disclosure other than as authorized by sections 420.14 and 420.15 of this Part.

Under 11 NYCRR 420.5, you must provide a clear and conspicuous notice to customers that accurately reflects your privacy policies and practices not less than annually during the continuation of the customer relationship. You must define the 12-consecutive-month period, but you must apply it to the customer on a consistent basis.

Limits on Disclosure and Redisclosure of Nonpublic Personal Financial Information

Under 11 NYCRR 420.10, you may not disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party unless you have provided the consumer with an initial notice, an opt-out notice, and a reasonable opportunity to opt-out of the disclosure. You must comply with this section, regardless of whether you and the consumer have established a customer relationship.

Authorization for Disclosure of Nonpublic Personal Health Information

Under 11 NYCRR 420.17, you may not disclose nonpublic personal health information about a consumer or customer unless an authorization is obtained from the consumer or customer whose nonpublic personal health information is sought to be disclosed.

Delivery

When you are required by the NYCRR to deliver an annual or initial privacy notice, you must deliver it according to section 420.9 of this Part.

^{[2.1][1.4][1.5][3.1]}

Source(s):

• [2.1] Disclosure of records or personal information.
• [1.4] Limits on disclosure of nonpublic personal financial information to nonaffiliated third parties.
• [1.5] When authorization required for disclosure of nonpublic personal health information.
• [3.1] Requests for records.

Jurisdiction

New York

• Privacy