Current through Reg. 49, No. 44; November 1, 2024
Section 22.11 - Form of Opt Out Notice to Consumers and Opt Out Methods(a) Clear and conspicuous notice. If a covered entity is required to provide an opt out notice under § 22.14(a) of this title (relating to Limits on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties), it must provide a clear and conspicuous notice to each of its consumers that accurately explains the right to opt out. The notice must state: (1) that the covered entity discloses or reserves the right to disclose nonpublic personal financial information about its consumer to a nonaffiliated third party;(2) that the consumer has the right to opt out of that disclosure; and(3) a reasonable means by which the consumer may opt out.(b) Adequate opt out notice. A covered entity provides adequate notice that the consumer can opt out of the disclosure of nonpublic personal financial information to a nonaffiliated third party if the covered entity: (1) identifies all of the categories of nonpublic personal financial information it discloses or reserves the right to disclose, and all of the categories of nonaffiliated third parties to which the covered entity discloses the information, as described in § 22.10(a)(2) and (3) of this title (relating to Information to be Included in Privacy Notices), and states that the consumer can opt out of the disclosure of that information; and(2) identifies the insurance products or services the consumer obtains from the covered entity, either singly or jointly, to which the opt out direction would apply.(c) Reasonable opt out means. A covered entity provides a reasonable means to exercise an opt out right if it: (1) designates check-off boxes in a prominent position on the relevant forms with the opt out notice; and(2) includes the reply form together with the opt out notice; or(3) provides an electronic means to opt out, such as a form that can be sent by electronic mail or a process on the covered entity's website, if the consumer agrees to the electronic delivery of information; or(4) provides a toll-free telephone number consumers may call to opt out.(d) Unreasonable opt out means. A covered entity does not provide a reasonable means of opting out if: (1) the only means of opting out is for the consumer to write his or her own letter to exercise that opt out right; or(2) the only means of opting out as described in any notice subsequent to the initial notice is to use a check-off box that the covered entity provided with the initial notice but did not include with the subsequent notice.(e) Specific opt out means. A covered entity may require each consumer to opt out through a specific means, so long as that means is reasonable for that consumer.(f) Opt out notice with or on a written or electronic form. A covered entity may provide the opt out notice together with, or on the same written or electronic form as, the initial notice the covered entity provides in accord with § 22.8 of this title (relating to Initial Privacy Notice).(g) Opt out notice later than initial notice. If a covered entity provides the opt out notice later than required for the initial notice in accord with § 22.8 of this title, the covered entity must also include a copy of the initial notice with the opt out notice in writing or, if the consumer agrees, electronically.(h) Joint relationships. A covered entity must use the procedures set out in paragraphs (1) - (4) of this subsection when joint relationships between consumers are involved. (1) If two or more consumers jointly obtain or seek to obtain an insurance product or service from a covered entity, the covered entity may provide a single opt out notice. The covered entity's opt out notice must explain how the covered entity will treat an opt out direction by a joint consumer (as explained in subsection (i) of this section).(2) Any of the joint consumers may exercise the right to opt out. The covered entity may either: (A) treat an opt out direction by a joint consumer as applying to all of the associated joint consumers; or(B) permit each joint consumer to opt out separately.(3) If a covered entity permits each joint consumer to opt out separately, the covered entity must permit one of the joint consumers to opt out on behalf of all the joint consumers.(4) A covered entity may not require all joint consumers to opt out before it implements any opt out direction.(i) Examples. The following are examples of how a covered entity should treat a joint relationship. If John and Mary are both named policyholders on a homeowner's insurance policy issued by a covered entity and the covered entity sends policy statements to John's address, the covered entity may do any of the following, but it must explain in its opt out notice which opt out policy the covered entity will follow: (1) Send a single opt out notice to John's address, but the covered entity must accept an opt out direction from either John or Mary.(2) Treat an opt out direction by either John or Mary as applying to the entire policy. If the covered entity does so and John opts out, the covered entity may not require Mary to opt out as well before implementing John's opt out direction.(3) Permit John and Mary to make different opt out directions. If the covered entity does so: (A) it must permit John and Mary to opt out for each other;(B) if both opt out, the covered entity must permit both of them to notify it in a single response (such as on a form or through a telephone call); and(C) if John opts out and Mary does not, the covered entity may only disclose nonpublic personal financial information about Mary, but not about John, and not about John and Mary jointly.(j) Opt out direction. A covered entity must comply with a consumer's opt out direction as soon as reasonably practicable after the covered entity receives it.(k) Consumer's right to opt out. A consumer may exercise the right to opt out at any time.(l) A consumer's direction. A consumer's direction to opt out under this section is effective until the consumer revokes it in writing or, if the consumer has agreed to conduct business electronically, electronically.(m) Customer relationship. When a customer relationship terminates, the customer's opt out direction continues to apply to the nonpublic personal financial information the covered entity collected during or related to that relationship. If the individual subsequently establishes a new customer relationship with the covered entity, the opt out direction that applied to the former relationship does not apply to the new relationship.(n) Opt out delivery. When a covered entity is required to deliver an opt out notice by this section, the covered entity must deliver it according to § 22.13 of this title (relating to Delivery).(o) Notice content requirements. A model privacy form that meets the notice content requirement of this section appears in 74 Federal Register 62890 (December 1, 2009). A covered entity may use the applicable model privacy form, consistent with the instructions in § 22.27 of this title (relating to General Instructions).28 Tex. Admin. Code § 22.11
The provisions of this §22.11 adopted to be effective December 17, 2001, 26 TexReg 10316; amended by Texas Register, Volume 39, Number 49, December 5, 2014, TexReg 9566, eff. 12/7/2014