Management would like to begin sharing NPPI with a non-affiliated 3rd party (credit card company). They will handle tracking the opt-outs via a 1-800 phone number, but let's face it our customers will be calling our call center, not only with questions, but also to opt-out requests!.

We will send an updated Privacy Notice to all customers indicating we now sharing NPPI with non-affiliated 3rd parties share and that the customers have an opportunity to opt-out). My questions include:

1. Do we have to specifically highlight what is changing with our Privacy Policy (I realize it is a good idea PR-wise), but is it required via law/regulation (or is that likely to be in the upcoming regs following the FAST Act changes?)?
2. T or F? Now that we have an opt-out we must send the Privacy Notice every year (I believe this is True, but I want to hear it :))
3. Has anyone had experience with the vendor keeping track of the opt-outs? No matter who is tracking opt-outs it seems like it would be very tough to get correct!

Thanks in advance for any responses.