Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can I use third-party email marketing tools that collect personal information in Maryland? What are the requirements?

Requirements for Using Third-Party Email Marketing Tools in Maryland

If you are using third-party email marketing tools that collect personal information in Maryland, you must comply with the Maryland Code of Regulations (MDCR) 31.16.08.12 and 31.16.08.14. These regulations provide guidelines for the limits on redisclosure and reuse of nonpublic personal financial information and exceptions to opt-out requirements for disclosure of nonpublic personal financial information for service providers and joint marketing.

Under MDCR 31.16.08.12, if you receive nonpublic personal financial information from a nonaffiliated financial institution, you may disclose the information only to the affiliates of the financial institution from which you received the information, to your affiliates, or to any other person if the disclosure would be lawful if made directly to that person by the financial institution from which you received the information. You may not disclose that information to a third party for marketing purposes or use that information for your own marketing purposes.

Under MDCR 31.16.08.14, the opt-out requirements do not apply when you provide nonpublic personal financial information to a nonaffiliated third party to perform services for you or functions on your behalf, if you provide the initial notice in accordance with Regulation .05 of this chapter and enter into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which you disclosed the information.

Exemption from Notice and Opt Out Requirements for Nonpublic Personal Financial Information.

MDCR 31.16.08.04 provides an exemption from notice and opt-out requirements for nonpublic personal financial information. A licensee is not subject to the notice and opt-out requirements for nonpublic personal financial information of this chapter if:

  1. The licensee is an employee, agent, or other representative of another licensee;
  2. The other licensee otherwise complies with, and provides the notices required by, the provisions of this chapter; and
  3. The licensee does not disclose any nonpublic personal information to any person other than the other licensee or its affiliates in a manner permitted by this chapter.

Limits on Sharing Account Number Information for Marketing Purposes.

MDCR 31.16.08.13 provides limits on sharing account number information for marketing purposes. A licensee may not, directly or through an affiliate, disclose, other than to a consumer reporting agency, a policy number or similar form of access number or access code for a consumer’s policy or transaction account to a nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.

Relationship to Maryland Laws.

MDCR 31.16.08.21 states that this chapter does not preempt or supersede existing State law related to medical records, health information privacy, or insurance information privacy.

Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information.

MDCR 31.16.08.16 provides other exceptions to notice and opt-out requirements for disclosure of nonpublic personal financial information. The requirements for initial notice to consumers, the opt-out, and service providers and joint marketing do not apply when a licensee discloses nonpublic personal financial information:

  1. With the consent or at the direction of the consumer, if the consumer has not revoked the consent or direction;
  2. To protect the confidentiality or security of a licensee’s records pertaining to the consumer, service, product, or transaction;
  3. To protect against or prevent actual or potential fraud or unauthorized transactions;
  4. For required institutional risk control or for resolving consumer disputes or inquiries;
  5. To persons holding a legal or beneficial interest relating to the consumer;
  6. To persons acting in a fiduciary or representative capacity on behalf of the consumer;
  7. To provide information to: insurance rate advisory organizations, guaranty funds or agencies that are rating a licensee, persons that are assessing the licensee’s compliance with industry standards, and the licensee’s attorneys, accountants, and auditors;
  8. To the extent specifically permitted or required under other provisions of law and in accordance with the federal Right to Financial Privacy Act of 1978, to law enforcement agencies, self-regulatory organizations, or for an investigation on a matter related to public safety;
  9. To a consumer reporting agency in accordance with the federal Fair Credit Reporting Act;
  10. From a consumer report reported by a consumer reporting agency;
  11. In connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal financial information concerns solely consumers of the business or unit;
  12. To comply with federal, state, or local laws, rules, and other applicable legal requirements;
  13. To comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by federal, state, or local authorities;
  14. To respond to judicial process or government regulatory authorities having jurisdiction over a licensee for examination, compliance, or other purposes as authorized by law; or
  15. For purposes related to the replacement of a group benefit plan, a group health plan, a group welfare plan, or a workers’ compensation plan.

Limits on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties.

MDCR 31.16.08.11 provides limits on disclosure of nonpublic personal financial information to nonaffiliated third parties. A licensee may not, directly or through an affiliate, disclose nonpublic personal financial information about a consumer to a nonaffiliated third party unless:

  1. The licensee has provided to the consumer an initial notice as required under Regulation .05 of this chapter;
  2. The licensee has provided to the consumer an opt-out notice as required in Regulation .08 of this chapter;
  3. The licensee has given the consumer a reasonable opportunity, before it discloses the information to the nonaffiliated third party, to opt out of the disclosure; and
  4. The consumer does not opt out.

A licensee provides a consumer with a reasonable opportunity to opt out if:

  1. The licensee mails the notices required in Regulations .05 and .08 of this chapter to the consumer and allows the consumer to opt out by mailing a form within 30 days from the date the licensee mailed the notices, calling a toll-free telephone number within 30 days from the date the licensee mailed the notices, or using any other reasonable means within 30 days from the date the licensee mailed the notices;
  2. A customer opens an on-line account with a licensee and agrees to receive the notices required in Regulations .05 and .08 of this chapter electronically; and the licensee allows the customer to opt out by any reasonable means within 30 days after the date that the customer acknowledges receipt of the notices in conjunction with opening the account; or
  3. For an isolated transaction such as providing the consumer with an insurance quote, the licensee provides the notices required in Regulations .05 and .08 of this chapter at the time of the transaction and requests that the consumer decide, as a necessary part of the transaction, whether to opt out before completing the transaction.

A licensee shall comply with this regulation regardless of whether the licensee and the consumer have established a customer relationship. Unless a licensee complies with this regulation, the licensee may not, directly or through an affiliate, disclose nonpublic personal financial information about a consumer that the licensee has collected, regardless of whether the licensee collected it before or after receiving the direction to opt out from the consumer.

Conclusion

In summary, if you are using third-party email marketing tools that collect personal information in Maryland, you must comply with MDCR 31.16.08.12 and 31.16.08.14. You may disclose nonpublic personal financial information only to the affiliates of the financial institution from which you received the information, to your affiliates, or to any other person if the disclosure would be lawful if made directly to that person by the financial institution from which you received the information. You may not disclose that information to a third party for marketing purposes or use that information for your own marketing purposes.

Jurisdiction

Maryland