CFR > Title 12 - Banks and Banking > CHAPTER I—COMPTROLLER OF THE CURRENCY, DEPARTMENT OF THE TREASURY > PART 40—PRIVACY OF CONSUMER FINANCIAL INFORMATION > SUBPART A—Privacy and Opt Out Notices (§40.4 to §40.9) > 40.8—Revised privacy notices.

40.8—Revised privacy notices.

(a) General rule. Except as otherwise authorized in this part, a bank must not, directly or through any affiliate, disclose any nonpublic personal information about a consumer to a nonaffiliated third party other than as described in the initial notice that the bank provided to that consumer under § 40.4, unless:
(1) The bank has provided to the consumer a clear and conspicuous revised notice that accurately describes its policies and practices;
(2) The bank has provided to the consumer a new opt out notice;
(3) The bank has given the consumer a reasonable opportunity, before the bank discloses the information to the nonaffiliated third party, to opt out of the disclosure; and
(4) The consumer does not opt out.
(b) Examples. (1) Except as otherwise permitted by §§ 40.13, 40.14, and 40.15, a bank must provide a revised notice before it:
(i) Discloses a new category of nonpublic personal information to any nonaffiliated third party;
(ii) Discloses nonpublic personal information to a new category of nonaffiliated third party; or
(iii) Disclose nonpublic personal information about a former customer to a nonaffiliated third party, if that former customer has not had the opportunity to exercise an opt out right regarding that disclosure.
(2) A revised notice is not required if the bank discloses nonpublic personal information to a new nonaffiliated third party that the bank adequately described in its prior notice.
(c) Delivery. When a bank is required to deliver a revised privacy notice by this section, the bank must deliver it according to § 40.9.