skip to main navigation skip to secondary navigation skip to content
Board of Governors of the Federal Reserve System
skip to content
Federal Reserve Board of Governors

Regulations

Compliance Guide to Small Entities

Regulation P: Privacy of Consumer Financial Information
12 CFR 216

This description should not be interpreted as a comprehensive statement of the regulation. Rather, it is intended to give a broad overview of the regulation's requirements. The full regulation is available on the Government Printing Office web site.

Regulation P governs the treatment of nonpublic personal information about consumers by the financial institutions for which the Board has primary supervisory authority.

A general description of the regulation, by section, follows.

Section 216.1 Purpose and scope
Summarizes the obligations of a financial institution to provide notice to its customers about its privacy policies and practices and the right of a consumer to prevent a financial institution from disclosing nonpublic personal information about him or her to nonaffiliated third parties by "opting out" of that disclosure. Specifies that only the U.S. offices of financial institutions for which the Board has primary supervisory authority are subject to the requirements of the regulation.

Section 216.2 Rule of construction
States that the examples in the regulation and the sample clauses in appendix A of the regulation are not exclusive and that compliance with an example or use of a sample clause, to the extent applicable, constitutes compliance with the regulation.

Section 216.3 Definitions
Defines key terms used in the regulation, such as "consumer," "customer," and "nonpublic personal information."

Section 216.4 Initial privacy notice to consumers required 
Sets forth requirements to provide an initial privacy notice to a customer not later than when the financial institution establishes a customer relationship, and to a consumer before disclosing any nonpublic personal information about the consumer to any nonaffiliated third party, subject to certain exceptions. Also provides an exception to allow subsequent delivery of an initial notice under limited circumstances.

Section 216.5 Annual privacy notice to customers required 
Sets forth requirement to provide a privacy notice to a customer annually during the continuation of the customer relationship.

Section 216.6 Information to be included in privacy notices 
Establishes the items of information required to be described in the initial, annual, and revised privacy notices.

Section 216.7 Form of opt out notice to consumers; opt out methods
Establishes the items of information required to be described in the opt-out notice and sets forth requirements for providing a reasonable opportunity to opt out to consumers who jointly obtain a financial product or service.

Section 216.8 Revised privacy notices
Sets forth requirement to provide a revised privacy notice to a consumer before disclosing nonpublic personal information about him or her to a nonaffiliated third party other than as described in the initial notice to the consumer.

Section 216.9 Delivering privacy and opt out notices
Sets forth requirement to provide a privacy notice to a customer annually during the continuation of the customer relationship.

Section 216.10 Limits on disclosure of non-public personal information to nonaffiliated third parties
Establishes the general limitation against disclosing nonpublic personal information about a consumer to any nonaffiliated third party.

Section 216.11 Limits on redisclosure and reuse of information
Establishes various limitations against redisclosing and reusing nonpublic personal information received from a nonaffiliated financial institution.

Section 216.12 Limits on sharing account number information for marketing purposes
Sets forth the restriction against disclosing a consumer's account number for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.

Section 216.13 Exception to opt out requirements for service providers and joint marketing
Establishes an exception to the requirement to provide a consumer with an opt-out notice and reasonable opportunity to opt out of certain disclosures to nonaffiliated third parties who perform services on behalf of a financial institution, including marketing financial products or services offered pursuant to a joint agreement.

Section 216.14 Exceptions to notice and opt out requirements for processing and servicing transactions
Establishes exceptions to the requirements to provide a consumer with an initial privacy notice, an opt-out notice, and reasonable opportunity to opt out of disclosures to nonaffiliated third parties as necessary, among other purposes, to effect, administer, or enforce a transaction that a consumer requests or authorizes, or in connection with maintaining or servicing the consumer's account.

Section 216.15 Other exceptions to notice and opt out requirements
Establishes other exceptions to the requirements to provide a consumer with an initial privacy notice, an opt-out notice, and reasonable opportunity to opt out of disclosures to various nonaffiliated third parties, such as to persons acting in a fiduciary capacity on behalf of the consumer, and for a variety of purposes, such as to comply with federal, state, or local laws.

Section 216.16 Protection of Fair Credit Reporting Act 
States that nothing in the regulation should be construed to modify, limit, or supersede the operation of the Fair Credit Reporting Act (15 U.S.C. 1681 et seq.).

Section 216.17 Relation to State laws
States that the regulation should not be construed as superseding, altering, or affecting any statute, regulation, order, or interpretation in effect in any state, except to the extent that such state statute, regulation, order, or interpretation is inconsistent with the provisions of the regulation, and then only to the extent of the inconsistency.

Section 216.18 Effective date; transition rule
Sets forth the effective date for the regulation and a transition rule that applies to certain contracts between nonaffiliated third parties and financial institutions that were entered into on or before July 1, 2000.

For additional information about Regulation P, see Compliance Guide for Small Entities (77 KB PDF) and Frequently Asked Questions (147 KB PDF).

Privacy Notice Instructions (102 KB PDF)

Privacy Notice--Opt Out Options:   
With Affiliate Marketing (110 KB PDF)
Without Affiliate Marketing (109 KB PDF)  

Privacy Notice--No Opt Out Options:
With Affiliate Marketing (133 KB PDF)
Without Affiliate Marketing (127 KB PDF)

Privacy Notice--Mail in Forms:
With Affiliate Marketing (75 KB PDF)
Without Affiliate Marketing (76 KB PDF)

< Back to Regulation P

Last update: December 28, 2016