AUTHENTICATED9
`U.S GOVERNMENT
`INFORMATION
`GPO
`
`Federal Reserve System
`
`§ 216.1 Purpose and scope.
`(a) Purpose. This part governs the
`treatment of nonpublic personal infor(cid:173)
`mation about consumers by the finan(cid:173)
`cial institutions listed in paragraph (b)
`of this section. This part:
`(1) Requires a financial institution to
`provide notice to customers about its
`privacy policies and practices;
`(2) Describes the conditions under
`which a financial institution may dis(cid:173)
`close nonpublic personal information
`about consumers to nonaffiliated third
`parties; and
`(3) Provides a method for consumers
`to prevent a financial institution from
`disclosing that information to most
`nonaffiliated third parties by "opting
`out" of that disclosure, subject to the
`exceptions in §§216.13, 216.14, and 216.15.
`(b) Scope. (1) This part applies only to
`nonpublic personal information about
`individuals who obtain financial prod(cid:173)
`ucts or services primarily for personal,
`family, or household purposes from the
`institutions listed below. This part
`does not apply to information about
`companies or about individuals who ob(cid:173)
`tain financial products or services for
`business, commercial, or agricultural
`purposes. This part applies to the U. S.
`offices of entities for which the Board
`has primary supervisory authority.
`They are referred to in this part as
`"you." These are: State member banks,
`bank holding companies and certain of
`their nonbank subsidiaries or affili(cid:173)
`ates, State uninsured branches and
`agencies of foreign banks, commercial
`lending companies owned or controlled
`by foreign banks, and Edge and Agree(cid:173)
`ment corporations.
`(2) Nothing in this part modifies, lim(cid:173)
`its, or supersedes the standards gov(cid:173)
`erning individually identifiable health
`information promulgated by the Sec(cid:173)
`retary of Health and Human Services
`under the authority of sections 262 and
`264 of the Health Insurance Portability
`and Accountability Act of 1996
`(42
`U.S.C. 1320d-1320d-B).
`
`§ 216.2 Model privacy form and exam(cid:173)
`ples.
`(a) Model privacy form. Use of the
`model privacy form in appendix A of
`this part, consistent with the instruc(cid:173)
`tions in appendix A, constitutes com(cid:173)
`pliance with the notice content re-
`
`§216.3
`
`quirements of §§216.6 and 216.7 of this
`part, although use of the model privacy
`form is not required.
`(b) Examples. The examples in this
`part are not exclusive. Compliance
`with an example, to the extent applica(cid:173)
`ble, constitutes compliance with this
`part.
`[74 FR 62925, Dec. 1, 2009]
`
`§ 216.3 Definitions.
`As used in this part, unless the con(cid:173)
`text requires otherwise:
`(a) Affiliate means any company that
`controls, is controlled by, or is under
`common control with another com(cid:173)
`pany.
`(b) (1) Clear and conspicuous means
`that a notice is reasonably understand(cid:173)
`able and designed to call attention to
`the nature and significance of the in(cid:173)
`formation in the notice.
`(2) Examples-(i) Reasonably under(cid:173)
`standable. You make your notice rea(cid:173)
`sonably understandable if you:
`(A) Present the information in the
`notice
`in clear, concise sentences,
`paragraphs, and sections;
`(B) Use short explanatory sentences
`or bullet lists whenever possible;
`(C) Use definite, concrete, everyday
`words and active voice whenever pos(cid:173)
`sible;
`(D) Avoid multiple negatives;
`(E) Avoid legal and highly technical
`business
`terminology whenever pos(cid:173)
`sible; and
`(F) Avoid explanations that are im(cid:173)
`precise and readily subject to different
`interpretations.
`(ii) Designed to call attention. You de(cid:173)
`sign your notice to call attention to
`the nature and significance of the in(cid:173)
`formation in it if you:
`(A) Use a plain-language heading to
`call attention to the notice;
`(B) Use a typeface and type size that
`are easy to read;
`(C) Provide wide margins and ample
`line spacing;
`(D) Use boldface or italics for key
`words; and
`(E) In a form that combines your no(cid:173)
`tice with other information, use dis(cid:173)
`tinctive type size, style, and graphic
`devices, such as shading or sidebars,
`when you combine your notice with
`other information.
`
`499
`
`VERSATA EXHIBIT 2052
`SAP v. VERSATA
`CASE CBM2012-00001
`
`

`

`§216.3
`
`(iii) Notices on web sites. If you pro(cid:173)
`vide a notice on a web page, you design
`your notice to call attention to the na(cid:173)
`ture and significance of the informa(cid:173)
`tion in it if you use text or visual cues
`to encourage scrolling down the page if
`necessary to view the entire notice and
`ensure that other elements on the web
`site (such as text, graphics, hyperlinks,
`or sound) do not distract attention
`from the notice, and you either:
`(A) Place the notice on a screen that
`consumers frequently access, such as a
`page on which transactions are con(cid:173)
`ducted; or
`(B) Place a link on a screen that con(cid:173)
`sumers frequently access, such as a
`page on which transactions are con(cid:173)
`ducted, that connects directly to the
`notice and is labeled appropriately to
`convey the importance, nature, and
`relevance of the notice.
`(c) Collect means to obtain informa(cid:173)
`tion that you organize or can retrieve
`by the name of an individual or by
`identifying number, symbol, or other
`identifying particular assigned to the
`individual, irrespective of the source of
`the underlying information.
`(d) Company means any corporation,
`limited
`liability company, business
`trust, general or limited partnership,
`association, or similar organization.
`(e)(1) Consumer means an individual
`who obtains or has obtained a financial
`product or service from you that is to
`be used primarily for personal, family,
`or household purposes, or that individ(cid:173)
`ual's legal representative.
`(2) Examples-(i) An individual who
`applies to you for credit for personal,
`family, or household purposes is a con(cid:173)
`sumer of a financial service, regardless
`of whether the credit is extended.
`(ii) An individual who provides non(cid:173)
`public personal information to you in
`order to obtain a determination about
`whether he or she may qualify for a
`loan to be used primarily for personal,
`family, or household purposes is a con(cid:173)
`sumer of a financial service, regardless
`of whether the loan is extended.
`(iii) An individual who provides non(cid:173)
`public personal information to you in
`connection with obtaining or seeking
`to obtain financial, investment, or eco(cid:173)
`nomic advisory services is a consumer
`regardless of whether you establish a
`continuing advisory relationship.
`
`12 CFR Ch. II (1-1-12 Edition)
`
`(iv) If you hold ownership or serv(cid:173)
`icing rights to an individual's loan that
`is used primarily for personal, family,
`or household purposes, the individual is
`your consumer, even if you hold those
`rights in conjunction with one or more
`other institutions. (The individual is
`also a consumer with respect to the
`other financial institutions involved.)
`An individual who has a loan in which
`you have ownership or servicing rights
`is your consumer, even if you, or an(cid:173)
`other institution with those rights,
`hire an agent to collect on the loan.
`(v) An individual who is a consumer
`of another financial institution is not
`your consumer solely because you act
`as agent for, or provide processing or
`other services to, that financial insti(cid:173)
`tution.
`(vi) An individual is not your con(cid:173)
`sumer solely because he or she has des(cid:173)
`ignated you as trustee for a trust.
`(vii) An individual is not your con(cid:173)
`sumer solely because he or she is a ben(cid:173)
`eficiary of a trust for which you are a
`trustee.
`(viii) An individual is not your con(cid:173)
`sumer solely because he or she is a par(cid:173)
`ticipant or a beneficiary of an em(cid:173)
`ployee benefit plan that you sponsor or
`for which you act as a trustee or fidu(cid:173)
`ciary.
`(f) Consumer reporting agency has the
`same meaning as in section 603(f) of the
`Fair Credit Reporting Act (15 U.S.C.
`1681a(f)).
`(g) Control of a company means:
`(1) Ownership, control, or power to
`vote 25 percent or more of the out(cid:173)
`standing shares of any class of voting
`security of the company, directly or in(cid:173)
`directly, or acting through one or more
`other persons;
`(2) Control in any manner over the
`election of a majority of the directors,
`trustees, or general partners (or indi(cid:173)
`viduals exercising similar functions) of
`the company; or
`(3) The power to exercise, directly or
`indirectly, a controlling influence over
`the management or policies of the
`company, as the Board determines.
`(h) Customer means a consumer who
`has a customer relationship with you.
`(i)(1) Customer relationship means a
`continuing relationship between a con(cid:173)
`sumer and you under which you pro(cid:173)
`vide one or more financial products or
`
`500
`
`

`

`Federal Reserve System
`
`services to the consumer that are to be
`used primarily for personal, family, or
`household purposes.
`(2) Examples-(i) Continuing relation(cid:173)
`ship. A consumer has a continuing rela(cid:173)
`tionship with you if the consumer:
`(A) Has a deposit or investment ac(cid:173)
`count with you;
`(B) Obtains a loan from you;
`(C) Has a loan for which you own the
`servicing rights;
`(D) Purchases an insurance product
`from you;
`(E) Holds an
`investment product
`through you, such as when you act as a
`custodian for securities or for assets in
`an Individual Retirement Arrange(cid:173)
`ment;
`(F) Enters into an agreement or un(cid:173)
`derstanding with you whereby you un(cid:173)
`dertake to arrange or broker a home
`mortgage loan for the consumer;
`(G) Enters into a lease of personal
`property with you; or
`(H) Obtains financial, investment, or
`economic advisory services from you
`for a fee.
`(ii) No continuing relationship. A con(cid:173)
`sumer does not, however, have a con(cid:173)
`tinuing relationship with you if:
`(A) The consumer obtains a financial
`product or service only in isolated
`transactions, such as using your ATM
`to withdraw cash from an account at
`another financial institution or pur(cid:173)
`chasing a cashier's check or money
`order;
`(B) You sell the consumer's loan and
`do not retain the rights to service that
`loan; or
`(C) You sell the consumer airline
`tickets, travel insurance, or traveler's
`checks in isolated transactions.
`(j) Federal functional regulator means:
`(1) The Board of Governors of the
`Federal Reserve System;
`(2) The Office of the Comptroller of
`the Currency;
`(3) The Board of Directors of the Fed(cid:173)
`eral Deposit Insurance Corporation;
`(4) The Director of the Office of
`Thrift Supervision;
`(5) The National Credit Union Admin(cid:173)
`istration Board; and
`(6) The Securities and Exchange
`Commission.
`(k)(1) Financial institution means any
`institution the business of which is en(cid:173)
`gaging in activities that are financial
`
`§216.3
`
`in nature or incidental to such finan(cid:173)
`cial activities as described in section
`4(k) of the Bank Holding Company Act
`of 1956 (12 U.S.C. 1843(k)).
`(2) Financial institution does not in(cid:173)
`clude:
`(i) Any person or entity with respect
`to any financial activity that is subject
`to the jurisdiction of the Commodity
`Futures Trading Commission under the
`Commodity Exchange Act (7 U.S.C. 1 et
`seq.);
`(ii) The Federal Agricultural Mort(cid:173)
`gage Corporation or any entity char(cid:173)
`tered and operating under the Farm
`Credit Act of 1971 (12 U.S.C. 2001 et seq.);
`or
`(iii) Institutions chartered by Con(cid:173)
`gress
`specifically
`to
`engage
`in
`securitizations, secondary market sales
`(including sales of servicing rights), or
`similar transactions related to a trans(cid:173)
`action of a consumer, as long as such
`institutions do not sell or transfer non(cid:173)
`public personal information to a non(cid:173)
`affiliated third party.
`(1)(1) Financial product or service
`means any product or service that a fi(cid:173)
`nancial holding company could offer by
`engaging in an activity that is finan(cid:173)
`cial in nature or incidental to such a fi(cid:173)
`nancial activity under section 4(k) of
`the Bank Holding Company Act of 1956
`(12 U.S.C. 1843(k)).
`includes your
`(2) Financial service
`evaluation or brokerage of information
`that you collect in connection with a
`request or an application from a con(cid:173)
`sumer for a financial product or serv(cid:173)
`ice.
`(m)(1) Nonaffiliated third party means
`any person except:
`(i) Your affiliate; or
`(ii) A person employed jointly by you
`and any company that is not your affil(cid:173)
`iate (but nonaffiliated third party in(cid:173)
`cludes the other company that jointly
`employs the person).
`(2) Nonaffiliated third party includes
`any company that is an affiliate solely
`by virtue of your or your affiliate's di(cid:173)
`rect or indirect ownership or control of
`the company in conducting merchant
`banking or investment banking activi(cid:173)
`ties of the type described in section
`4(k)(4)(H) or insurance company invest(cid:173)
`ment activities of the type described in
`section 4(k)(4)(I) of the Bank Holding
`
`501
`
`

`

`§216.3
`
`(12 U.S.C.
`
`Company Act of 1956
`1843(k)(4)(H) and(!)).
`(n)(1) Nonpublic personal information
`means:
`(i) Personally identifiable financial
`information; and
`(ii) Any list, description, or other
`grouping of consumers (and publicly
`available
`information pertaining
`to
`them) that is derived using any person(cid:173)
`ally identifiable financial information
`that is not publicly available.
`(2) Nonpublic personal information does
`not include:
`(i) Publicly available information,
`except as included on a list described in
`paragraph (n)(1)(ii) of this section; or
`(ii) Any list, description, or other
`grouping of consumers (and publicly
`available
`information pertaining
`to
`them) that is derived without using
`any personally identifiable financial
`information that is not publicly avail(cid:173)
`able.
`(3) Examples of lists-(i) Nonpublic
`personal information includes any list
`of individuals' names and street ad(cid:173)
`dresses that is derived in whole or in
`part using personally identifiable fi(cid:173)
`nancial information that is not pub(cid:173)
`licly available, such as account num(cid:173)
`bers.
`(ii) Nonpublic personal information
`does not include any list of individuals'
`names and addresses that contains
`only publicly available information, is
`not derived in whole or in part using
`personally identifiable financial infor(cid:173)
`mation that is not publicly available,
`and is not disclosed in a manner that
`indicates that any of the individuals on
`the list is a consumer of a financial in(cid:173)
`stitution.
`(o)(1) Personally identifiable financial
`information means any information:
`(i) A consumer provides to you to ob(cid:173)
`tain a financial product or service from
`you;
`(ii) About a consumer resulting from
`any transaction involving a financial
`product or service between you and a
`consumer; or
`(iii) You otherwise obtain about a
`consumer in connection with providing
`a financial product or service to that
`consumer.
`(2) Examples-(i) Information included .
`Personally identifiable financial infor(cid:173)
`mation includes:
`
`12 CFR Ch. II (1-1-12 Edition)
`
`(A) Information a consumer provides
`to you on an application to obtain a
`loan, credit card, or other financial
`product or service;
`information,
`(B) Account balance
`payment history, overdraft history,
`and credit or debit card purchase infor(cid:173)
`mation;
`(C) The fact that an individual is or
`has been one of your customers or has
`obtained a financial product or service
`from you;
`(D) Any information about your con(cid:173)
`sumer if it is disclosed in a manner
`that indicates that the individual is or
`has been your consumer;
`(E) Any information that a consumer
`provides to you or that you or your
`agent otherwise obtain in connection
`with collecting on a loan or servicing a
`loan;
`information you collect
`(F) Any
`through an Internet "cookie" (an in(cid:173)
`formation collecting device from a web
`server); and
`(G) Information from a consumer re(cid:173)
`port.
`(ii) Information not included. Person(cid:173)
`ally identifiable financial information
`does not include:
`(A) A list of names and addresses of
`customers of an entity that is not a fi(cid:173)
`nancial institution; and
`(B) Information that does not iden(cid:173)
`tify a consumer, such as aggregate in(cid:173)
`formation or blind data that does not
`contain personal identifiers such as ac(cid:173)
`count numbers, names, or addresses.
`(p)(1) Publicly available
`information
`means any information that you have a
`reasonable basis to believe is lawfully
`made available to the general public
`from:
`(i) Federal, State, or local govern(cid:173)
`ment records;
`(ii) Widely distributed media; or
`(iii) Disclosures to the general public
`that are required to be made by Fed(cid:173)
`eral, State, or local law.
`(2) Reasonable basis. You have a rea(cid:173)
`sonable basis to believe that informa(cid:173)
`tion is lawfully made available to the
`general public if you have taken steps
`to determine:
`(i) That the information is of the
`type that is available to the general
`public; and
`(ii) Whether an individual can direct
`that the information not be made
`
`502
`
`

`

`Federal Reserve System
`
`available to the general public and, if
`so, that your consumer has not done
`so.
`(3) Examples-(i) Government records.
`Publicly available information in gov(cid:173)
`ernment records includes information
`in government real estate records and
`security interest filings.
`(ii) Widely distributed media. Publicly
`available information from widely dis(cid:173)
`tributed media includes information
`from a telephone book , a television or
`radio program, a newspaper, or a web
`site that is available to the general
`public on an unrestricted basis. A web
`site is not restricted merely because an
`Internet service provider or a site oper(cid:173)
`ator requires a fee or a password, so
`long as access is available to the gen(cid:173)
`eral public.
`(iii) Reasonable basis-(A) You have a
`reasonable basis to believe that mort(cid:173)
`gage
`information
`is
`lawfully made
`available to the general public if you
`have determined that the information
`is of the type included on the public
`record in the jurisdiction where the
`mortgage would be recorded.
`(B) You have a reasonable basis to
`believe that an individual's telephone
`number is lawfully made available to
`the general public if you have located
`the telephone number in the telephone
`book or the consumer has informed you
`that the telephone number is not un(cid:173)
`listed.
`(q) You means:
`(1) A State member bank, as defined
`in 12 CFR 208.3(g);
`(2) A bank holding company, as de(cid:173)
`fined in 12 CFR 225.2(c);
`(3) A subsidiary (as defined in 12 CFR
`225.2(o)) or affiliate of a bank holding
`company and a subsidiary of a State
`member bank, except for:
`(i) A national bank or a State bank
`that is not a member of the Federal
`Reserve System;
`(ii) A broker or dealer that is reg(cid:173)
`istered under the Securities Exchange
`Act of 1934 (15 U.S.C. 78a et seq.);
`(iii) A registered investment adviser,
`properly registered by or on behalf of
`either the Securities Exchange Com(cid:173)
`mission or any State, with respect to
`its investment advisory activities and
`its activities incidental to those in(cid:173)
`vestment advisory activities;
`
`§216.4
`
`(iv) An investment company that is
`registered under the Investment Com(cid:173)
`pany Act of 1940 (15 U.S.C. 80a-1 et seq.);
`or
`(v) An insurance company, with re(cid:173)
`spect to its insurance activities and its
`activities incidental to those insurance
`activities, that is subject to super(cid:173)
`vision by a State insurance regulator;
`(4) A State agency or State branch of
`a foreign bank, as those terms are de(cid:173)
`fined in 12 U.S.C. 3101(b) (11) and (12),
`the deposits of which agency or branch
`are not insured by the Federal Deposit
`Insurance Corporation;
`(5) A commercial lending company,
`as defined in 12 CFR 211.2l(f), that is
`owned or controlled by a foreign bank,
`as defined in 12 CFR 211.21(m); or
`(6) A corporation organized under
`section 25A of the Federal Reserve Act
`(12 U.S.C. 611-631) or a corporation hav(cid:173)
`ing an agreement or undertaking with
`the Board under section 25 of the Fed(cid:173)
`eral Reserve Act (12 U.S .C. 601-604a).
`
`Subpart A-Privacy and Opt Out
`Notices
`§ 216.4 Initial privacy notice to con(cid:173)
`sumers required.
`requirement. You
`(a)
`Initial notice
`must provide a clear and conspicuous
`notice that accurately reflects your
`privacy policies and practices to:
`(1) Customer. An individual who be(cid:173)
`comes your customer, not later than
`when you establish a customer rela(cid:173)
`tionship, except as provided in para(cid:173)
`graph (e) of this section; and
`(2) Consumer. A consumer, before you
`disclose any nonpublic personal infor(cid:173)
`mation about the consumer to any
`nonaffiliated third party, if you make
`such a disclosure other than as author(cid:173)
`ized by §§ 216.14 and 216.15.
`(b) When initial notice to a consumer is
`not required. You are not required to
`provide an initial notice to a consumer
`under paragraph (a) of this section if:
`(1) You do not disclose any nonpublic
`personal information about the con(cid:173)
`sumer to any nonaffiliated third party,
`other than as authorized by §§ 216.14
`and 216.15; and
`(2) You do not have a customer rela(cid:173)
`tionship with the consumer.
`(c) When you establish a customer rela(cid:173)
`tionship-(!) General rule . You establish
`
`503
`
`