Iowa Admin. Code r. 191-90.7

Current through Register Vol. 46, No. 21, April 17, 2024

Rule 191-90.7 - Revised privacy notices

(1) Except as otherwise authorized in this rule, a licensee shall not, directly or through an affiliate, disclose any nonpublic personal financial information about a consumer to a nonaffiliated third party other than as described in the initial notice that the licensee provided to that consumer under rule 191-90.3 (505) unless the following occur:

a. The licensee has provided to the consumer a clear and conspicuous revised privacy notice that accurately describes its policies and practices;

b. The licensee has provided to the consumer a new opt-out notice;

c. The licensee has given the consumer a reasonable opportunity, before the licensee discloses the information to the nonaffiliated third party, to opt out of the disclosure; and

d. The consumer does not opt out.

Except as permitted by rules 191-90.12 (505), 191-90.13 (505), and 191-90.14 (505), a licensee shall provide a revised notice before the licensee does any of the following:

* Discloses a new category of nonpublic personal financial information to any nonaffiliated third party;

* Discloses nonpublic personal financial information to a new category of nonaffiliated third party; or

* Discloses nonpublic personal financial information about a former customer to a nonaffiliated third party, if that former customer has not had the opportunity to exercise an opt-out right regarding that disclosure.

(2) A revised privacy notice is not required if the licensee discloses nonpublic personal financial information to a new nonaffiliated third party that the licensee adequately described in its prior notice.

(3) When a licensee is required to deliver a revised privacy notice by this rule, the licensee shall deliver it according to rule 191-90.8 (505).

Iowa Admin. Code r. 191-90.7

Adopted by IAB March 20, 2024/Volume XLVI, Number 19, effective 4/24/2024