From the Privacy regulation, Section __.7(d)(5):
(5) Example. If John and Mary have a joint checking account with a bank and arranges for the bank to send statements to John's address, the bank may do any of the following, but it must explain in its opt out notice which opt out policy the bank will follow:
(i) Send a single opt out notice to John's address, but the bank must accept an opt out direction from either John or Mary.
(ii) Treat an opt out direction by either John or Mary as applying to the entire account. If the bank does so and John opts out, the bank may not require Mary to opt out as well before implementing John's opt out direction.
(iii) Permit John and Mary to make different opt out directions. If the bank does so:
(A) It must permit John and Mary to opt out for each other;
(B) If both opt out, the bank must permit both of them to notify it in a single response (such as on a form or through a telephone call); and
(C) If John opts out and Mary does not, the bank may only disclose nonpublic personal information about Mary, but not about John and not about John and Mary jointly.
(e) Time to comply with opt out. A bank must comply with a consumer's opt out direction as soon as reasonably practicable after the bank receives it.
This section gives the bank several options as to how it handles the opt-out process for joint accounts. It can take an opt-out from one party as an opt-out for all parties, or it can accept separate opt-outs from each party separately.
The key is, the privacy notice must inform the customers how joint account opt-outs will be handled. And if the bank accepts separate direction from the joint parties, that it shares according to the direction of each party, only sharing data about the party who has not opted out.
_________________________
The opinions expressed here are personal and do not represent opinions of my employer.