Title 15 — Commerce and TradeRelease 119-73not60
§6802 Obligations with Respect to Disclosures of Personal Information
Title 15 › Chapter 94— PRIVACY › Subchapter I— DISCLOSURE OF NONPUBLIC PERSONAL INFORMATION › § 6802
Summary
Financial companies must not share a customer’s private, nonpublic personal information with unrelated outside companies unless the customer has been given a proper notice and a chance to stop the sharing. The company must clearly tell the customer, in writing or electronically, that the information may be shared, give the customer an opportunity to opt out before the first disclosure, and explain how to use that opt-out. The company can share information with outside firms that do work for the company (including marketing the company’s own products or joint products) only if the company tells the customer and has a contract requiring the outside firm to keep the data private. A company that gets such information from a financial firm generally may not pass it on to other unrelated companies unless it would have been legal for the original firm to do so. Account numbers or access codes for credit, deposit, or transaction accounts cannot be given to unrelated firms for telemarketing, direct mail, or email marketing. Sharing is allowed in specific cases, such as to carry out a transaction the customer asked for, with the customer’s consent, to protect records or prevent fraud, to service accounts, to certain auditors or advisors, to credit reporting agencies under the Fair Credit Reporting Act, in a sale or merger of a business unit, or when required by law or legal process.
Full Legal Text
Title 15, §6802
Commerce and Trade — Source: USLM XML via OLRC
(a)Except as otherwise provided in this subchapter, a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 6803 of this title.
(b)(1)A financial institution may not disclose nonpublic personal information to a nonaffiliated third party unless—
(A)such financial institution clearly and conspicuously discloses to the consumer, in writing or in electronic form or other form permitted by the regulations prescribed under section 6804 of this title, that such information may be disclosed to such third party;
(B)the consumer is given the opportunity, before the time that such information is initially disclosed, to direct that such information not be disclosed to such third party; and
(C)the consumer is given an explanation of how the consumer can exercise that nondisclosure option.
(2)This subsection shall not prevent a financial institution from providing nonpublic personal information to a nonaffiliated third party to perform services for or functions on behalf of the financial institution, including marketing of the financial institution’s own products or services, or financial products or services offered pursuant to joint agreements between two or more financial institutions that comply with the requirements imposed by the regulations prescribed under section 6804 of this title, if the financial institution fully discloses the providing of such information and enters into a contractual agreement with the third party that requires the third party to maintain the confidentiality of such information.
(c)Except as otherwise provided in this subchapter, a nonaffiliated third party that receives from a financial institution nonpublic personal information under this section shall not, directly or through an affiliate of such receiving third party, disclose such information to any other person that is a nonaffiliated third party of both the financial institution and such receiving third party, unless such disclosure would be lawful if made directly to such other person by the financial institution.
(d)A financial institution shall not disclose, other than to a consumer reporting agency, an account number or similar form of access number or access code for a credit card account, deposit account, or transaction account of a consumer to any nonaffiliated third party for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.
(e)Subsections (a) and (b) shall not prohibit the disclosure of nonpublic personal information—
(1)as necessary to effect, administer, or enforce a transaction requested or authorized by the consumer, or in connection with—
(A)servicing or processing a financial product or service requested or authorized by the consumer;
(B)maintaining or servicing the consumer’s account with the financial institution, or with another entity as part of a private label credit card program or other extension of credit on behalf of such entity; or
(C)a proposed or actual securitization, secondary market sale (including sales of servicing rights), or similar transaction related to a transaction of the consumer;
(2)with the consent or at the direction of the consumer;
(3)(A)to protect the confidentiality or security of the financial institution’s records pertaining to the consumer, the service or product, or the transaction therein; (B) to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability; (C) for required institutional risk control, or for resolving customer disputes or inquiries; (D) to persons holding a legal or beneficial interest relating to the consumer; or (E) to persons acting in a fiduciary or representative capacity on behalf of the consumer;
(4)to provide information to insurance rate advisory organizations, guaranty funds or agencies, applicable rating agencies of the financial institution, persons assessing the institution’s compliance with industry standards, and the institution’s attorneys, accountants, and auditors;
(5)to the extent specifically permitted or required under other provisions of law and in accordance with the Right to Financial Privacy Act of 1978 [12 U.S.C. 3401 et seq.], to law enforcement agencies (including the Bureau of Consumer Financial Protection 11 So in original. Probably should be followed by a comma. a Federal functional regulator, the Secretary of the Treasury with respect to subchapter II of chapter 53 of title 31, and chapter 2 of title I of Public Law 91–508 (12 U.S.C. 1951–1959), a State insurance authority, or the Federal Trade Commission), self-regulatory organizations, or for an investigation on a matter related to public safety;
(6)(A)to a consumer reporting agency in accordance with the Fair Credit Reporting Act [15 U.S.C. 1681 et seq.], or (B) from a consumer report reported by a consumer reporting agency;
(7)in connection with a proposed or actual sale, merger, transfer, or exchange of all or a portion of a business or operating unit if the disclosure of nonpublic personal information concerns solely consumers of such business or unit; or
(8)to comply with Federal, State, or local laws, rules, and other applicable legal requirements; to comply with a properly authorized civil, criminal, or regulatory investigation or subpoena or summons by Federal, State, or local authorities; or to respond to judicial process or government regulatory authorities having jurisdiction over the financial institution for examination, compliance, or other purposes as authorized by law.
Legislative History
Notes & Related Subsidiaries
Editorial Notes
References in Text
This subchapter, referred to in subsecs. (a) and (c), was in the original “this subtitle”, meaning subtitle A (§§ 501–510) of title V of Pub. L. 106–102, Nov. 12, 1999, 113 Stat. 1436, which is classified principally to this subchapter. For complete classification of subtitle A to the Code, see Tables. The Right to Financial Privacy Act of 1978, referred to in subsec. (e)(5), is title XI of Pub. L. 95–630, Nov. 10, 1978, 92 Stat. 3697, which is classified generally to chapter 35 (§ 3401 et seq.) of Title 12, Banks and Banking. For complete classification of this Act to the Code, see
Short Title
note set out under section 3401 of Title 12 and Tables. Chapter 2 of title I of Public Law 91–508, referred to in subsec. (e)(5), is chapter 2 (§§ 121–129) of title I of Pub. L. 91–508, Oct. 26, 1970, 84 Stat. 1116, which is classified generally to chapter 21 (§ 1951 et seq.) of Title 12, Banks and Banking. For complete classification of chapter 2 to the Code, see Tables. The Fair Credit Reporting Act, referred to in subsec. (e)(6)(A), is title VI of Pub. L. 90–321, as added by Pub. L. 91–508, title VI, § 601, Oct. 26, 1970, 84 Stat. 1127, which is classified generally to subchapter III (§ 1681 et seq.) of chapter 41 of this title. For complete classification of this Act to the Code, see
Short Title
note set out under section 1601 of this title and Tables.
Amendments
2010—Subsec. (e)(5). Pub. L. 111–203 inserted “the Bureau of Consumer Financial Protection” after “(including”.
Statutory Notes and Related Subsidiaries
Effective Date
of 2010 AmendmentAmendment by Pub. L. 111–203 effective on the designated transfer date, see section 1100H of Pub. L. 111–203, set out as a note under section 552a of Title 5, Government Organization and Employees.
Reference
Citations & Metadata
Citation
15 U.S.C. § 6802
Title 15 — Commerce and Trade
Last Updated
Apr 3, 2026
Release point: 119-73not60