Can I use third-party customer service tools that collect personal information in Pennsylvania? What are the requirements?

Using Third-Party Customer Service Tools that Collect Personal Information in Pennsylvania

If you are using third-party customer service tools that collect personal information in Pennsylvania, there are specific requirements that you must follow.

According to 52 PACO Section 63.135, access to and use of customer information shall be limited to employees, agents, or independent contractors who have a legitimate need to use the information in the performance of their work duties and, because of the nature of their duties, need to examine the data to accomplish the legitimate and lawful activities necessarily incident to the rendition of service by the telecommunications company. An employee, agent, or independent contractor shall be prohibited from using customer information for personal benefit or the benefit of another person not authorized to receive the information. Customer information that is not subject to public availability may not be disclosed to persons outside the telecommunications company or to subsidiaries or affiliates of the telecommunications company, except in limited instances which are a necessary incident to the provision of service, the protection of the legal rights or property of the telecommunications company, the protection of the telecommunications company, an interconnecting carrier, a customer or a user of service from fraudulent, unlawful or abusive use of service, a disclosure that is required by a valid subpoena, search warrant, court order or other lawful process, a disclosure that is requested or consented to by the customer or the customer’s attorney, agent, employee or other authorized representative, a disclosure request that is required or permitted by law, including the regulations, decisions or orders of a regulatory agency, or a disclosure to governmental entities if the customer has consented to the disclosure, the disclosure is required by a subpoena, warrant or court order or disclosure is made as part of telecommunications company service.

However, it is unclear from the context whether third-party customer service tools are subject to the same requirements. Therefore, it is recommended that you consult with a legal expert or the Pennsylvania Public Utility Commission for guidance on the use of third-party customer service tools that collect personal information in Pennsylvania.

Limitation on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties

If you are collecting nonpublic personal financial information, there are specific requirements that you must follow. According to 31 PACO Section 146a.21, a licensee may not, directly or through an affiliate, disclose nonpublic personal financial information about a consumer to a nonaffiliated third party unless all of the following conditions are met:

1. The licensee has provided to the consumer an initial notice as required under § 146a.11 (relating to initial privacy notice to consumers required).
2. The licensee has provided to the consumer an opt-out notice as required in § 146a.14 (relating to form of opt-out notice to consumers and opt-out methods).
3. The licensee has given the consumer a reasonable opportunity, before it discloses the information to the nonaffiliated third party, to opt out of the disclosure.
4. The consumer does not opt out.

A licensee provides a consumer with a reasonable opportunity to opt out if:

1. By mail. The licensee mails the notices required in subsection (a) to the consumer and allows the consumer to opt out by mailing a form, calling a toll-free telephone number, or any other reasonable means within 30 days from the date the licensee mailed the notices.
2. By electronic means. A customer opens an online account with a licensee and agrees to receive the notices required in subsection (a) electronically, and the licensee allows the customer to opt out by any reasonable means within 30 days after the date that the customer acknowledges receipt of the notices in conjunction with opening the account.
3. Isolated transaction with consumer. For an isolated transaction such as providing the consumer with an insurance quote, a licensee provides the consumer with a reasonable opportunity to opt out if the licensee provides the notices required in subsection (a) at the time of the transaction and requests that the consumer decide, as a necessary part of the transaction, whether to opt out before completing the transaction.

Limits on Redisclosure and Reuse of Nonpublic Personal Financial Information

If you receive nonpublic personal financial information from a nonaffiliated financial institution, there are specific limits on redisclosure and reuse of that information. According to 31 PACO Section 146a.22, if a licensee receives nonpublic personal financial information from a nonaffiliated financial institution under an exception in § 146a.32 or § 146a.33, the licensee’s disclosure and use of that information is limited.

The licensee may disclose the information to the affiliates of the financial institution from which the licensee received the information. The licensee may disclose the information to its affiliates, but the licensee’s affiliates may, in turn, disclose and use the information only to the extent that the licensee may disclose and use the information. The licensee may disclose and use the information under an exception in § 146a.32 or § 146a.33, in the ordinary course of business to carry out the activity covered by the exception under which the licensee received the information.

If a licensee receives nonpublic personal financial information from a nonaffiliated financial institution other than under an exception in § 146a.32 or § 146a.33, the licensee may disclose the information only to the affiliates of the financial institution from which the licensee received the information. The licensee may disclose the information to its affiliates, but its affiliates may, in turn, disclose the information only to the extent that the licensee may disclose the information. The licensee may disclose the information to any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which the licensee received the information.

If a licensee discloses nonpublic personal financial information to a nonaffiliated third party under an exception in § 146a.32 or § 146a.33, the nonaffiliated third party may disclose and use that information only as follows: the nonaffiliated third party may disclose the information to the licensee’s affiliates. The nonaffiliated third party may disclose the information to its affiliates, but its affiliates may, in turn, disclose and use the information only to the extent that the nonaffiliated third party may disclose and use the information. The nonaffiliated third party may disclose and use the information under an exception in § 146a.32 or § 146a.33, in the ordinary course of business to carry out the activity covered by the exception under which the licensee received the information.

If a licensee discloses nonpublic personal financial information to a nonaffiliated third party other than under an exception in § 146a.32 or § 146a.33, the nonaffiliated third party may disclose the information only to the licensee’s affiliates. The nonaffiliated third party may disclose the information to the nonaffiliated third party’s affiliates, but the nonaffiliated third party’s affiliates, in turn, may disclose the information only to the extent the nonaffiliated third party can disclose the information. The nonaffiliated third party may disclose the information to any other person, if the disclosure would be lawful if the licensee made it directly to that person.

If you have any further questions or concerns, it is recommended that you consult with a legal expert or the Pennsylvania Public Utility Commission for guidance.

Jurisdiction

Pennsylvania

• Privacy