I am aware that we need to protect non-public personal information (NPPI) for consumers under GLB Act. It is my understanding that this reg does not apply to business accounts. What about NPPI of the contacts at those businesses?
For instance, may we share a list of business customers, their contacts (e.g. CFOs), their email addresses (some email addresses are personal email addresses like gmail), etc. to a marketing company to perform some surveys on our behalf? I know we don't have to give them an opt-out since this is for marketing purposes, but GLBA generally requires we perform due diligence to ensure the 3rd party will protect the data as well or better than we do. Is the due diligence required since these are business accounts?
Regardless of the reg, I think we should protect all customer data and perform due diligence before we share any customer information, but management wants to know if this would be a regulatory violation.
Thank you.