D.C. Mun. Regs. tit. 26, r. 26-A3603

Current through Register 71, No. 45, November 7, 2024
Rule 26-A3603 - INFORMATION TO BE INCLUDED IN PRIVACY NOTICES
3603.1

The initial, annual and revised privacy notices that a licensee provides about its privacy policies and practices under §§ 3601 and 3602 shall include each of the following items of information:

(a) The categories of nonpublic personal information that the licensee collects;
(b) The categories of nonpublic personal information that the licensee discloses;
(c) The categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal information, other than those parties to whom the licensee discloses information under §§ 3607 and 3608;
(d) The categories of nonpublic personal information about the licensee's former customers that it discloses and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal information about its former customers, other than those parties to whom it discloses information under §§ 3607 and 3608;
(e) If a licensee discloses nonpublic personal information to a nonaffiliated third party under § 3606 (and no other exception applies to that disclosure), a separate description of the categories of information the licensee discloses and the categories of third parties with whom the licensee has contracted;
(f) An explanation of the right under §§ 3604.1 through 3604.4 of the consumer to opt out of the disclosure of nonpublic personal information to nonaffiliated third parties, including the methods by which the consumer may exercise that right at that time;
(g) Any disclosures that the licensee makes under section 603(d)(2)(A)(iii) of the Fair Credit Reporting Act ( 15 U.S.C. 1681a(d)(2)(A)(iii)) (that is, notices regarding the ability to opt out of disclosures of information among affiliates); and
(h) The licensee's policies and practices with respect to protecting the confidentiality, and security of nonpublic personal information.
3603.2

If a licensee discloses nonpublic personal information about a consumer to third parties as authorized under §§ 3607 and 3608, the licensee is not required to list those exceptions in the initial or annual privacy notices required by §§ 3601 and 3602. When describing the categories with respect to those parties to whom disclosure is made, a licensee is only required to state that it makes disclosures to other nonaffiliated third parties as permitted by law.

3603.3

A licensee's notice may include:

(a) Categories of nonpublic personal information that the licensee reserves the right to disclose in the future, but does not currently disclose; and
(b) Categories of affiliates or nonaffiliated third parties to whom the licensee reserves the right in the future to disclose, but to whom the licensee does not currently disclose, nonpublic personal information.
3603.4

A licensee adequately categorizes the nonpublic personal information it collects if the licensee categorizes it according to the source of the information, such as application information, information about transactions such as information regarding its financial product or service and consumer reports.

3603.5

A licensee adequately categorizes nonpublic personal information it discloses if the licensee categorizes the information according to source, and provides a few illustrative examples of the content of the information. These might include application information, such as assets and income; identifying information, such as name, address, and social security number; and transaction information, such as information about account balance, payment history, parties to the transaction, and information from consumer reports, such as a consumer's creditworthiness and credit history. The licensee does not adequately categorize the information that it discloses if the licensee uses only general terms, such as transaction information about the consumer.

3603.6

A licensee adequately categorizes the affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal information about consumers if the licensee identifies the types of businesses that they engage in. Types of businesses may be described by general terms only if it uses a few illustrative examples of significant lines of business. For example, the licensee may use the term insurance products or services if it includes appropriate examples of significant lines of businesses, such as auto and homeowner's insurance, annuities, and life insurance. A licensee also may categorize the affiliated and nonaffiliated third parties to whom it discloses nonpublic personal information about consumers using more detailed categories.

3603.7

If a licensee does not disclose, and does not intend to disclose, nonpublic personal information to affiliates or nonaffiliated third parties, except as authorized under §§ 3607 and 3608, the licensee may simply state that fact, in addition to the information the licensee shall provide under §§ 3603.1(a), 3603.1(h), and 3603.2.

3603.8

A licensee describes its policies and practices with respect to protecting the confidentiality and security of nonpublic personal information if the licensee describes sufficiently who is authorized to have access to the information and the circumstances under which the information may be accessed. A licensee describes its policies and practices with respect to protecting the integrity of nonpublic personal information when the licensee discloses the measures it takes to protect against reasonably anticipated threats or hazards. A licensee is not required to describe technical information about the safeguards it uses.

3603.9

A licensee may satisfy the initial notice requirements in §§ 3601 and 3605.7 for a consumer who is not a customer by providing a short-form initial notice at the same time as the licensee delivers an opt notice as required in § 3605.

3603.10

A short-form notice shall:

(a) Be clear and conspicuous;
(b) State that the licensee's privacy notice is available upon request; and
(c) Explain a reasonable means by which the consumer may obtain that notice.
3603.11

The licensee shall deliver its short-form initial notice according to § 3605. The licensee is not required to deliver its privacy notice with its short-form initial notice. The licensee instead may simply provide the consumer with a reasonable means to obtain its privacy notice. If a consumer who receives the licensee's short-form notice requests the licensee's privacy notice, the licensee shall deliver its privacy notice according to § 3605.

3603.12

The licensee provides a reasonable means by which a consumer may obtain a copy of its privacy notice if the licensee:

(a) Provides a toll-free telephone number that the consumer may call to request the notice; or
(b) For a consumer who conducts business in person at the licensee's office, maintains copies of the notice on hand that the licensee provides to the consumer immediately upon request.

D.C. Mun. Regs. tit. 26, r. 26-A3603

Emergency Rulemaking published at 47 DCR 9052(November 10, 2000) [EXPIRED]; Emergency Rulemaking published at 48 DCR 2356(March 16, 2001) [EXPIRED]; as Emergency Rulemaking published at 48 DCR 6119(July 1, 2001) [EXPIRED]; as Final Rulemaking published at 48 DCR 8005 (August 24, 2001)