We recently started using a 3rd party vendor to help us market our products/services to our own customers. In box 2 for our privacy notice ("For our marketing purposes") we used to say No/No and now changed it to Yes/No. Does this trigger the need to send an updated notice to all our consumer customers? My instinct is to send it so customers are aware of the change, even though they can't limit it. But when I read:

1016.5(e)(1)(ii): "(ii) Have not changed your policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed to the customer under § 1016.6(a)(2) through (5) and (9) in the most recent privacy notice provided pursuant to this part."

and then further review 1016.6(a)(2)-(5) and (9) it isn't totally clear to me if the change in practice of sharing information for our own, marketing purposes falls under any of those sections. Other than the mailing cost (which does add up), there is obviously no downside in just sending, but is it required? Any input would be greatly appreciated.

Great question. This is a tough one and I had to sludge through each of 1016.6(a)(2)-(5) and (9) to get what I think is the right answer. The short answer is that the changes to box 2 in and of themselves probably don't trigger a new notice. But here's the catch: when you update box 2, 1016.6(a)(3) appears to require you to update the definition of "joint marketing" on the back of your privacy notice. For the citation, here are the requirements of 1016.6(a)(3):
"(3) The categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information, other than those parties to whom you disclose information under §§1016.14 and 1016.15 of this part;"

Since the joint marketing is under the 1016.13 exception, notice that only the _.14 and _.15 exceptions are excluded- meaning the _.13 exception IS included. Furthermore, the instructions for completing the privacy notice (found in the appendix - as well as 1016.6(c)(3)) say you must must list the categories of affiliates and nonaffiliated third parties to whom you disclose, along with a few examples. Logistically, this information is disclosed in the definition box for joint marketing and the examples provided in 1016.6(c)(3) are as follows:

"(ii) If it shares with nonaffiliated third parties, state, as applicable: “Nonaffiliates we share with can include [list categories of companies such as mortgage companies, insurance companies, direct marketing companies, and nonprofit organizations].”"

As you can see, "direct marketing companies" are a clear example of the types of nonaffiliates that must be disclosed under 1016.(a)(3).

So, did you update the definition of "joint marketing" on page 2 of your privacy policy to include "direct marketing companies"? If so, that change of information is required by 1016.6(a)(3) and would require a new notice. If you didn't update the "joint marketing" definition, I don't think your privacy policy is compliant with 1016.6(a)(3) and 1016.6(c)(3) - unless it was already disclosed that way in the definitions, which is unlikely.

For the record, I stopped at 1016.6(a)(3) and didn't review (a)(4) or (a)(5), so either of those sections could also apply and trigger the requirement as well - but I'm not sure as I didn't review them in detail today to see if they applied to your scenario.

Thank you for taking the time to dig into this. I agree with your assessemnt. We need to update page 2 and ensure it lists direct marketing companies and then send the notice. Again, thanks for your insights.

Be aware there is a specific meaning behind joint marketing in § 1016.13.
You have to have an actual contractual agreement that binds the other party from disclosing or using the information other than to carry out the purposes intended.
So, you will want to insure before saying you have a joint marketing agreement, you actually have a contract with other party that specifically states they cannot use the information given other than for the purposes intended or what is allowed in § 1016.14 or 1016.15

I want to piggy back on this thread. We have to update our privacy notice. On pg. 1 we always had YES/NO for joint marketing with other financial companies. The only thing we need to change is to add insurance companies on pg 2 under the definition of joint marketing. Before we only had brokerage firm and credit card companies.

We are going to start to offer AD&D coverage for checking account holders. We give the company a list and they provide the mailing using our bank logo, etc. The customer then goes to a website to obtain if they want it. Is this really a joint marketing or are they a service provider?

I feel its better to update to reflect our current practice. We can insert the notice in our statements. Do I have to put a statement message on the statement on what has changed or is providing the updated notice enough?

They are adding your bank logo to a solicitation for insurance? I hope you have all the advertising requirements covered. What about all your customers that do not get statements?