Skip to main content
  1. Home
  2. Consumer and Community Affairs
  3. CFPB's Regulation P
  4. SUBPART A
  5. SECTION 1016.7
6-7283

SECTION 1016.7—Form of Opt-Out Notice to Consumers; Opt-Out Methods

(a) (1) Form of opt-out notice. If you are required to provide an opt-out notice under section 1016.10(a), you must provide a clear and conspicuous notice to each of your consumers that accurately explains the right to opt-out under that section. The notice must state:
(i) That you disclose or reserve the right to disclose nonpublic personal information about your consumer to a nonaffiliated third party;
(ii) That the consumer has the right to opt-out of that disclosure; and
(iii) A reasonable means by which the consumer may exercise the opt-out right.
(2) Examples.
(i) Adequate opt-out notice. You provide adequate notice that the consumer can opt-out of the disclosure of nonpublic personal information to a nonaffiliated third party if you:
(A) Identify all of the categories of nonpublic personal information that you disclose or reserve the right to disclose, and all of the categories of nonaffiliated third parties to which you disclose the information, as described in section 1016.6(a)(2) and (3) of this part, and state that the consumer can opt-out of the disclosure of that information; and
(B) Identify the financial products or services that the consumer obtains from you, either singly or jointly, to which the opt-out direction would apply.
(ii) Reasonable opt-out means. You provide a reasonable means to exercise an opt-out right if you:
(A) Designate check-off boxes in a prominent position on the relevant forms with the opt-out notice;
(B) Include a reply form together with the opt-out notice that, in the case of financial institutions described in section 1016.3(l)(3) of this part, includes the address to which the form should be mailed;
(C) Provide an electronic means to opt-out, such as a form that can be sent via electronic mail or a process at your Web site, if the consumer agrees to the electronic delivery of information; or
(D) Provide a toll-free telephone number that consumers may call to opt-out.
(iii) Unreasonable opt-out means. You do not provide a reasonable means of opting out if:
(A) The only means of opting out is for the consumer to write his or her own letter to exercise that opt-out right; or
(B) The only means of opting out as described in any notice subsequent to the initial notice is to use a check-off box that you provided with the initial notice but did not include with the subsequent notice.
(iv) Specific opt-out means. You may require each consumer to opt-out through a specific means, as long as that means is reasonable for that consumer.
6-7284
(b) Same form as initial notice permitted. You may provide the opt-out notice together with or on the same written or electronic form as the initial notice you provide in accordance with section 1016.4.
(c) Initial notice required when opt-out notice delivered subsequent to initial notice. If you provide the opt-out notice later than required for the initial notice in accordance with section 1016.4 of this part, you must also include a copy of the initial notice with the opt-out notice in writing or, if the consumer agrees, electronically.
6-7285
(d) Joint relationships in the case of financial institutions other than credit unions and covered entities subject to FTC enforcement jurisdiction. For purposes of this paragraph (d), “you” is limited to financial institutions other than credit unions and financial institutions described in section 1016.3(l)(3) of this part.
(1) If two or more consumers jointly obtain a financial product or service from you, you may provide a single opt-out notice. Your opt-out notice must explain how you will treat an opt-out direction by a joint consumer (as explained in paragraph (d)(5) of this section).
(2) Any of the joint consumers may exercise the right to opt-out. You may either:
(i) Treat an opt-out direction by a joint consumer as applying to all of the associated joint consumers; or
(ii) Permit each joint consumer to opt-out separately.
(3) If you permit each joint consumer to opt-out separately, you must permit one of the joint consumers to opt-out on behalf of all of the joint consumers.
(4) You may not require all joint consumers to opt-out before you implement any opt-out direction.
(5) Example. If John and Mary have a joint checking account with you and arrange for you to send statements to John’s address, you may do any of the following, but you must explain in your opt-out notice which opt-out policy you will follow:
(i) Send a single opt-out notice to John’s address, but you must accept an opt-out direction from either John or Mary.
(ii) Treat an opt-out direction by either John or Mary as applying to the entire account. If you do so, and John opts out, you may not require Mary to opt-out as well before implementing John’s opt-out direction.
(iii) Permit John and Mary to make different opt-out directions. If you do so:
(A) You must permit John and Mary to opt-out for each other;
(B) If both opt-out, you must permit both to notify you in a single response (such as on a form or through a telephone call); and
(C) If John opts out and Mary does not, you may only disclose nonpublic personal information about Mary, but not about John and not about John and Mary jointly.
(e) Joint relationships in the case of credit unions.
(1) If two or more consumers jointly obtain a financial product or service, other than a loan, from a credit union, the credit union may provide only a single opt-out notice. The opt-out notice must explain how the credit union will treat an opt-out direction by a joint consumer (as explained in the examples in paragraph (e)(5) of this section).
(2) Any of the joint consumers may exercise the right to opt-out. A credit union may either:
(i) Treat an opt-out direction by a joint consumer to apply to all of the associated joint consumers; or
(ii) Permit each joint consumer to opt-out separately.
(3) If a credit union permits each joint consumer to opt-out separately, the credit union must permit one of the joint consumers to opt-out on behalf of all of the joint consumers.
(4) A credit union may not require all joint consumers to opt-out before the credit union implements any opt-out direction.
(5) Example. If John and Mary have a joint share account with a credit union and arrange for the credit union to send statements to John’s address, the credit union may do any of the following, but it must explain in its opt-out notice which opt-out policy it will follow:
(i) Send a single opt-out notice to John’s address, but it must accept an opt-out direction from either John or Mary.
(ii) Treat an opt-out direction by either John or Mary as applying to the entire account. If it does so, and John opts out, it may not require Mary to opt-out as well before implementing John’s opt-out direction.
(iii) Permit John and Mary to make different opt-out directions. If it does so, and if John and Mary both opt-out, it must permit one or both of them to notify it in a single response (such as on a form or through a telephone call).
(6) Special rule for loans.
(i) A credit union is required to provide an initial opt-out notice to a borrower or guarantor on a loan if it shares his or her nonpublic personal information with nonaffiliated third parties other than for purposes under sections 1016.13, 1016.14, and 1016.15.
(ii) A credit union may satisfy its annual opt-out notice requirement by providing one notice to those borrowers and guarantors jointly.
(f) Joint relationships in the case of covered entities subject to FTC enforcement jurisdiction. For purposes of this paragraph (f), “you” is limited to the financial institutions described in section 1016.3(l)(3).
(1) If two or more consumers jointly obtain a financial product or service from you, you may provide a single opt-out notice, unless one or more of those consumers requests a separate opt-out notice. Your opt-out notice must explain how you will treat an opt-out direction by a joint consumer (as explained in paragraph (f)(5) of this section).
(2) Any of the joint consumers may exercise the right to opt-out. You may either:
(i) Treat an opt-out direction by a joint consumer as applying to all of the associated joint consumers; or
(ii) Permit each joint consumer to opt-out separately.
(3) If you permit each joint consumer to opt-out separately, you must permit one of the joint consumers to opt-out on behalf of all of the joint consumers.
(4) You may not require all joint consumers to opt-out before you implement any opt-out direction.
(5) Example. If John and Mary have a joint credit card account with you and arrange for you to send statements to John’s address, you may do any of the following, but you must explain in your opt-out notice which opt-out policy you will follow:
(i) Send a single opt-out notice to John’s address, but you must accept an opt-out direction from either John or Mary.
(ii) Treat an opt-out direction by either John or Mary as applying to the entire account. If you do so, and John opts out, you may not require Mary to opt-out as well before implementing John’s opt-out direction.
(iii) Permit John and Mary to make different opt-out directions. If you do so:
(A) You must permit John and Mary to opt-out for each other;
(B) If both opt-out, you must permit both to notify you in a single response (such as on a form or through a telephone call); and
(C) If John opts out and Mary does not, you may only disclose nonpublic personal information about Mary, but not about John and not about John and Mary jointly.
6-7286
(g) Time to comply with opt-out. You must comply with a consumer’s opt-out direction as soon as reasonably practicable after you receive it.
(h) Continuing right to opt-out. A consumer may exercise the right to opt-out at any time.
(i) Duration of consumer’s opt-out direction.
(1) A consumer’s direction to opt-out under this section is effective until the consumer revokes it in writing or, if the consumer agrees, electronically.
(2) When a customer relationship terminates, the customer’s opt-out direction continues to apply to the nonpublic personal information that you collected during or related to that relationship. If the individual subsequently establishes a new customer relationship with you, the opt-out direction that applied to the former relationship does not apply to the new relationship.
(j) Delivery. When you are required to deliver an opt-out notice by this section, you must deliver it according to section 1016.9 of this part.
(k) Model privacy form. Pursuant to section 1016.2(a) of this part, a model privacy form that meets the notice content requirements of this section is included in the appendix to this part.
Back to top