D.C. Municipal Regulations (Last Updated: September 13, 2017) |
Title 26. INSURANCE, SECURITIES, AND BANKING |
SubTilte 26-A. INSURANCE |
Chapter 26-A36. PRIVACY OF CONSUMER FINANCIAL INFORMATION |
Section 26-A3605. FORM AND METHOD OF PROVIDING OPT OUT NOTICE TO CONSUMERS; DELIVERY
-
3605.1If a licensee is required to provide an opt out notice under § 3604.1 through § 3604.4, the licensee shall provide a clear and conspicuous notice to each of its consumers that accurately explains the right to opt out under § 3604.1. The notice shall state:
(a)That the licensee discloses or reserves the right to disclose nonpublic personal information about its consumer to a nonaffiliated third party;
(b)That the consumer has the right to opt out of that disclosure; and
(c)A reasonable means by which the consumer may exercise the opt out right.
3605.2A licensee provides adequate notice that the consumer can opt out of the disclosure of nonpublic personal information to a nonaffiliated third party if the licensee identifies all of the categories of nonpublic personal information that the licensee discloses or reserves the right to disclose to nonaffiliated third parties as described in § 3603 and states that the consumer can opt out of the disclosure of that information.
3605.3A licensee provides a reasonable means to exercise an opt out right if it:
(a)Designates check-off boxes in a prominent position on the relevant forms with the opt out notice;
(b)Includes a reply form together with the opt out notice;
(c)Provides an electronic means to opt out, such as a form that can be sent via electronic mail or a process at the licensee's web site, if the consumer agrees to the electronic delivery of information; or
(d)Provides a toll-free telephone number that consumers may call to opt out.
3605.4A licensee does not provide a reasonable means of opting out if the only means of opting out is for the consumer to write his or her own letter to exercise the opt out right.
3605.5A licensee may not provide the opt out notice solely by orally explaining, either in person or over the telephone, the right of the consumer to opt out.
3605.6A licensee may provide the opt out notice together with or on the same written or electronic form as the initial notice it provides in accordance with § 3601.
3605.7If a licensee provides the opt out notice at a later time than required for the initial notice in accordance with § 3601, it shall also include a copy of the initial notice in writing or, if the consumer agrees, in an electronic form with the opt out notice.
3605.8Except as otherwise authorized in this regulation, a licensee shall not, directly or through any affiliate, disclose any nonpublic personal information about a consumer to a nonaffiliated third party other than as described in the initial notice that the licensee provided to the consumer under § 3601, unless:
(a)A licensee has provided to the consumer a revised notice that accurately describes its policies and practices;
(b)A licensee has provided to the consumer a new opt out notice;
(c)A licensee has given the consumer a reasonable opportunity before it discloses the information to the nonaffiliated third party, to opt out of the disclosure; and
(d)The consumer does not opt out.
3605.9A licensee shall provide the revised notice of its policies and practices and opt out notice, if required under § 3605.8, to a consumer using the means permitted for providing the initial notice and opt out notice to that consumer under §§ 3601 and 3605, respectively.
3605.10Except as otherwise permitted by §§ 3606, 3607 and 3708, a revised notice is required if the licensee:
(a)Discloses a new category of nonpublic personal information to any nonaffiliated third party; or
(b)Discloses nonpublic personal information to a new category of any nonaffiliated third party.
3605.11A revised notice is not required if the licensee discloses nonpublic personal information to a new nonaffiliated third party that is adequately described by its prior notice.
3605.12A consumer may exercise the right to opt out at any time, and the licensee shall comply with the consumer's direction as soon as reasonably practicable.
3605.13A consumer's direction to opt out under this section is effective until revoked by the consumer in writing, or if the consumer agrees, in electronic form.
3605.14If two or more consumers jointly obtain a financial product or service from a licensee, the licensee may provide a single opt out notice. The licensee's opt out notice shall explain how the licensee will treat an opt out direction by a joint consumer.
3605.15Any of the joint consumers may exercise the right to opt out. The licensee may either:
(a)Treat an opt out direction by a joint consumer as applying to all of the associated joint consumers; or
(b)Permit each joint consumer to opt out separately.
3605.16If the licensee permits each joint consumer to opt out separately, the licensee shall permit one of the joint consumers to opt out on behalf of all the joint consumers.
3605.17A licensee may not require all joint consumers to opt out before the licensee implements any opt out direction.
3605.18For example, if John and Mary are both named insureds on an insurance policy with a licensee and arrange for the licensee to send all correspondence about the policy to John's address, the licensee may do any of the following, but the licensee shall explain in its opt out notice which opt out policy it will follow:
(a)Send a single opt out notice to John's address, but the licensee shall accept an opt out direction from either John or Mary;
(b)Treat an opt out direction by either John or Mary as applying to the entire account. If the licensee does so, and John opts out, the licensee may not require Mary to opt out as well before implementing John's opt out direction; or
(c)Permit John and Mary to take different opt out directions. If a licensee does so, and both opt out, the licensee shall permit both to notify the licensee in a single response (such as on a form or through a telephone call). In addition, if John opts out but Mary does not, the licensee may disclose nonpublic personal information about Mary, but not about John and not about Mary and John jointly.
3605.19A licensee shall provide any privacy notices and opt out notices, including short-form initial notices in § 3603.9, that this section requires so that each consumer can reasonably be expected to receive actual notice in writing or, if the consumer agrees, electronically.
3605.20A licensee may reasonably expect that a consumer will receive actual notice if the licensee:
(a)Hand-delivers a printed copy to the notice to the consumer;
(b)Mails a printed copy of the notice to the last known address of the consumer separately, or in a policy, billing or other written communication;
(c)For the consumer who conducts transactions electronically, clearly and conspicuously posts the notice on the electronic site and requires the consumer to acknowledge receipt of the notice as a necessary step to obtaining a particular financial product or service; or
(d)For an isolated transaction with the consumer, such as the licensee providing an insurance quote or selling the consumer travel insurance, requires the consumer to acknowledge receipt of the notice as a necessary step to obtaining the particular financial product or service.
3605.21A licensee may not reasonably expect that a consumer will receive actual notice of the licensee's privacy policies and practices if the licensee:
(a)Only posts a sign in its branch or office or generally publishes advertisements of its privacy policies and practices; or
(b)Sends the notice via electronic mail to a consumer who does not obtain a financial product or service from the licensee electronically.
3605.22A licensee may reasonably expect that a customer will receive actual notice of the licensee's annual privacy notice if:
(a)The customer uses the licensee's web site to access financial products and services electronically and agrees to receive notices at the web site, and the licensee posts its current privacy notice continuously in a clear and conspicuous manner on the web site; or
(b)The customer has requested that the licensee refrain from sending any information regarding the customer relationship, and the licensee's current privacy notice remains available to the customer upon request.
3605.23A licensee may not provide any notice required by § 3605 solely by orally explaining the notice, either in person or over the telephone.
3605.24For customers only, a licensee shall provide the initial notice required by section 3601, the annual notice required by § 3602, and the revised notice required by § 3605.9, so that the customer can retain them or obtain them later in writing or, if the customer agrees, electronically.
3605.25The licensee provides a privacy notice to the customer so that the customer can retain it or obtain it later if the licensee:
(a)Hand-delivers a printed copy of the notice to the customer;
(b)Mails a printed copy of the notice to the last known address of the customer; or
(c)Makes the licensee's current privacy notice available on a web site (or link to another web site) for the customers who obtains a financial product or service electronically and agrees to receive the notice at the web site.
3605.26A licensee may provide a joint notice from the licensee and one or more of the licensee's affiliates or other financial institutions, as identified in the notice, as long as the notice is accurate with respect to the licensee and the other institutions. A licensee also may provide notice on behalf of another financial institution.
3605.27Producers may deliver any notice required under this regulation on behalf of another licensee. A producer shall not otherwise be subject to the requirements of this section in any instance where the insurer, including affiliates, on whose behalf the producer is acting otherwise complies with the requirements contained herein, and the producer does not disclose any financial information to any person other than the insurer or its affiliates in a manner permitted by this regulation.