Great question. This is a tough one and I had to sludge through each of 1016.6(a)(2)-(5) and (9) to get what I think is the right answer. The short answer is that the changes to box 2 in and of themselves probably don't trigger a new notice. But here's the catch: when you update box 2, 1016.6(a)(3) appears to require you to update the definition of "joint marketing" on the back of your privacy notice. For the citation, here are the requirements of 1016.6(a)(3):
"(3) The categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal information, other than those parties to whom you disclose information under §§1016.14 and 1016.15 of this part;"
Since the joint marketing is under the 1016.13 exception, notice that only the _.14 and _.15 exceptions are excluded- meaning the _.13 exception IS included. Furthermore, the instructions for completing the privacy notice (found in the appendix - as well as 1016.6(c)(3)) say you must must list the categories of affiliates and nonaffiliated third parties to whom you disclose, along with a few examples. Logistically, this information is disclosed in the definition box for joint marketing and the examples provided in 1016.6(c)(3) are as follows:
"(ii) If it shares with nonaffiliated third parties, state, as applicable: “Nonaffiliates we share with can include [list categories of companies such as mortgage companies, insurance companies, direct marketing companies, and nonprofit organizations].â€"
As you can see, "direct marketing companies" are a clear example of the types of nonaffiliates that must be disclosed under 1016.(a)(3).
So, did you update the definition of "joint marketing" on page 2 of your privacy policy to include "direct marketing companies"? If so, that change of information is required by 1016.6(a)(3) and would require a new notice. If you didn't update the "joint marketing" definition, I don't think your privacy policy is compliant with 1016.6(a)(3) and 1016.6(c)(3) - unless it was already disclosed that way in the definitions, which is unlikely.
For the record, I stopped at 1016.6(a)(3) and didn't review (a)(4) or (a)(5), so either of those sections could also apply and trigger the requirement as well - but I'm not sure as I didn't review them in detail today to see if they applied to your scenario.
_________________________
Adam Witmer, CRCM
All statements are my opinion, not those of my employer, and should not be taken as legal advice.
www.compliancecohort.com