Can I use third-party cloud storage services that collect personal information in Pennsylvania? What are the requirements?

Use of Third-Party Cloud Storage Services in Pennsylvania

Based on the provided documents, there are no specific regulations in Pennsylvania that prohibit the use of third-party cloud storage services that collect personal information. However, licensees who use such services must comply with the requirements for the use and release of personal information ^[1.1] and the limits on redisclosure and reuse of nonpublic personal financial information ^[2.2].

Licensees must ensure that the third-party cloud storage service provider complies with the requirements for the use and release of personal information and the limits on redisclosure and reuse of nonpublic personal financial information. Licensees must also obtain the necessary authorization from the consumer whose nonpublic personal health information is sought to be disclosed when using third-party cloud storage services ^[3.1].

In addition, licensees must comply with the opt-out requirements for disclosure of nonpublic personal financial information to nonaffiliated third parties ^[2.3]. However, there are exceptions to these requirements for service providers and joint marketing ^[2.1] and for processing and servicing transactions ^[2.5].

In summary, while there are no specific regulations that prohibit the use of third-party cloud storage services that collect personal information in Pennsylvania, licensees must comply with the requirements for the use and release of personal information, the limits on redisclosure and reuse of nonpublic personal financial information, obtain necessary authorization, and comply with opt-out requirements or applicable exceptions when using third-party cloud storage services.

^[1.1]: 43 PACO Section 1.14 ^[2.1]: 31 PACO Section 146a.31 ^[2.2]: 31 PACO Section 146a.22 ^[2.3]: 31 PACO Section 146a.21 ^[3.1]: 31 PACO Section 146b.11 ^[2.5]: 31 PACO Section 146a.32

Source(s):

• [1.1] Use and release of personal information.
• [2.1] Exception to opt out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing.
• [2.2] Limits on redisclosure and reuse of nonpublic personal financial information.
• [2.3] Limitation on disclosure of nonpublic personal financial information to nonaffiliated third parties.
• [3.1] Authorization required for disclosure of nonpublic personal health information.
• [2.5] Exceptions to notice and opt out requirements for disclosure of nonpublic personal financial information for processing and servicing transactions.

Jurisdiction

Pennsylvania

• Privacy