Can I use third-party cloud storage services that collect personal information in Alabama? What are the requirements?

Using Third-Party Cloud Storage Services in Alabama

Based on the provided context documents, if you are a licensee in Alabama, you may use third-party cloud storage services that collect personal information, but you must comply with the requirements for the storage of proprietary information and the limits on disclosure of nonpublic personal financial information to nonaffiliated third parties.

Requirements for Storage of Proprietary Information

According to ALAC Section 225-1-4-3, all proprietary information in possession of the Board shall be maintained in a secure area and in files marked “CONFIDENTIAL.” All proprietary information submitted to the Board shall be returned to the producing party within sixty (60) days of the conclusion of the Board’s use thereof, and the Board shall certify that all summaries, notes, extracts, compilations or any direct or indirect reproductions of such information have been destroyed.

Limits on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties

According to ALAC Section 482-1-122-11, a licensee may not, directly or through any affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party unless all of the following occur:

• The licensee has provided to the consumer an initial notice as required under Section 5.
• The licensee has provided to the consumer an opt-out notice as required in Section 8.
• The licensee has given the consumer a reasonable opportunity, before it discloses the information to the nonaffiliated third party, to opt-out of the disclosure.
• The consumer does not opt-out.

Exceptions to Opt-Out Requirements for Disclosure of Nonpublic Personal Financial Information

There are exceptions to the opt-out requirements for disclosure of nonpublic personal financial information. For example, the opt-out requirements do not apply when a licensee provides nonpublic personal financial information to a nonaffiliated third party to perform services for the licensee or functions on the licensee’s behalf, if the licensee provides the initial notice in accordance with Section 5 and enters into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information, including use under an exception in Sections 15 or 16 in the ordinary course of business to carry out those purposes ^[3.3].

Therefore, if you are a licensee in Alabama and you use third-party cloud storage services that collect personal information, you must ensure that you comply with the requirements for the storage of proprietary information and the limits on disclosure of nonpublic personal financial information to nonaffiliated third parties. Additionally, you may be able to take advantage of exceptions to the opt-out requirements for disclosure of nonpublic personal financial information if you provide the initial notice and enter into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which the licensee disclosed the information ^[3.3].

Source(s):

• [3.3] Exception To Opt Out Requirements For Disclosure Of Nonpublic Personal Financial Information For Service Providers And Joint Marketing

Jurisdiction

Alabama

• Privacy