Can I use third-party customer service tools that collect personal information in Colorado? What are the requirements?

Using Third-Party Customer Service Tools that Collect Personal Information in Colorado

Yes, you can use third-party customer service tools that collect personal information in Colorado as long as you comply with the requirements set forth in the Colorado Code of Regulations (3 COCR 702-6 Regulation 6-4-1).

Requirements for Disclosure of Nonpublic Personal Financial Information

If the personal information collected by the third-party customer service tool is nonpublic personal financial information, you must comply with the requirements for disclosure of nonpublic personal financial information to nonaffiliated third parties as set forth in Section 12 of the regulation. This includes providing an initial notice, opt-out notice, and a reasonable opportunity for the consumer to opt-out of the disclosure.

However, there are exceptions to the opt-out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing (Section 15) and for processing and servicing transactions (Section 16). If you disclose nonpublic personal financial information to a nonaffiliated third party to perform services for you or functions on your behalf, or as necessary to effect, administer or enforce a transaction that a consumer requests or authorizes, you may be exempt from the opt-out requirements if you provide the initial notice and enter into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which you disclosed the information.

Other exceptions to notice and opt-out requirements for disclosure of nonpublic personal financial information are listed in Section 17 of the regulation ^[1.2].

Requirements for Disclosure of Nonpublic Personal Health Information

If the personal information collected by the third-party customer service tool is nonpublic personal health information, you must comply with the requirements for disclosure of nonpublic personal health information as set forth in Section 18 of the regulation. This includes obtaining authorization from the consumer or customer whose nonpublic personal health information is sought to be disclosed, unless the disclosure is for certain insurance functions.

Information to be Included in Privacy Notices

If you use third-party customer service tools that collect personal information, you must include a description of the categories of nonpublic personal financial information that you collect and disclose, the categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal financial information, and your policies and practices with respect to protecting the confidentiality and security of nonpublic personal information in your initial, annual, and revised privacy notices as set forth in Section 7 of the regulation.

Limits on Redisclosure and Reuse of Nonpublic Personal Financial Information

If you receive nonpublic personal financial information from a nonaffiliated financial institution under an exception in Sections 16 or 17 of the regulation, your disclosure and use of that information is limited. For example, you may disclose the information to the affiliates of the financial institution from which you received the information, but you may not disclose that information to a third party for marketing purposes or use that information for your own marketing purposes ^[1.4].

Contract Requirements

If you are a vendor or primary user, you must execute a contract with the department in accordance with section 42-1-206(3.7), C.R.S. The contract between the department and a vendor shall include provisions that ensure that no data will be transferred to a sub-vendor unless the sub-vendor has provided the vendor, and the vendor has approved, a form, DR 2489, Requestor Release and Affidavit of Intended Use, and has agreed that it will not use the data in a manner prohibited by law ^[2.1].

In summary, you can use third-party customer service tools that collect personal information in Colorado as long as you comply with the requirements set forth in the Colorado Code of Regulations (3 COCR 702-6 Regulation 6-4-1). If the personal information collected is nonpublic personal financial information, you must comply with the requirements for disclosure of nonpublic personal financial information to nonaffiliated third parties as set forth in Section 12 of the regulation. If the personal information collected is nonpublic personal health information, you must comply with the requirements for disclosure of nonpublic personal health information as set forth in Section 18 of the regulation. You must also include a description of the categories of nonpublic personal financial information that you collect and disclose, the categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal financial information, and your policies and practices with respect to protecting the confidentiality and security of nonpublic personal information in your initial, annual, and revised privacy notices as set forth in Section 7 of the regulation.

Source(s):

• [1.2] Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information
• [1.4] Limits on Redisclosure and Reuse of Nonpublic Personal Financial Information
• [2.1] Contract Requirements

Jurisdiction

Colorado

• Privacy