[Congressional Bills 112th Congress]
[From the U.S. Government Publishing Office]
[H.R. 653 Introduced in House (IH)]

112th CONGRESS
  1st Session
                                H. R. 653

To amend the Gramm-Leach-Bliley Act to improve regulations dealing with 
    the disclosure by financial institutions of nonpublic personal 
                  information, and for other purposes.


_______________________________________________________________________


                    IN THE HOUSE OF REPRESENTATIVES

                           February 11, 2011

   Ms. Speier (for herself, Mr. Hastings of Florida, and Mr. Filner) 
 introduced the following bill; which was referred to the Committee on 
                           Financial Services

_______________________________________________________________________

                                 A BILL


 
To amend the Gramm-Leach-Bliley Act to improve regulations dealing with 
    the disclosure by financial institutions of nonpublic personal 
                  information, and for other purposes.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Financial Information Privacy Act of 
2011''.

SEC. 2. OBLIGATIONS WITH RESPECT TO DISCLOSURE OF PERSONAL INFORMATION.

    (a) In General.--The Gramm-Leach-Bliley Act is amended--
            (1) in section 501(b)--
                    (A) in paragraph (1), by inserting after 
                ``security'' the following: ``, integrity,''; and
                    (B) in paragraph (2), by striking ``or integrity'' 
                and inserting ``, integrity, or confidentiality'';
            (2) by striking section 502 and inserting the following new 
        sections:

``SEC. 502. OBLIGATIONS WITH RESPECT TO DISCLOSURES OF PERSONAL 
              INFORMATION TO NONAFFILIATED THIRD PARTIES.

    ``(a) Notice Requirement.--Except as otherwise provided in this 
subtitle, a financial institution may not, directly or through any 
affiliate, disclose to a nonaffiliated third party any nonpublic 
personal information, unless such financial institution provides or has 
provided to the consumer a notice that complies with section 503.
    ``(b) Opt In Before Disclosure Is Permitted.--A financial 
institution may not disclose nonpublic personal information to a 
nonaffiliated third party unless the financial institution has obtained 
the express consent of the consumer on an express consent form that--
            ``(1) complies with the requirements of subsection (e); and
            ``(2) authorizes the financial institution to disclose or 
        share the nonpublic personal information.
    ``(c) Non-Discriminatory Treatment.--
            ``(1) In general.--A financial institution shall not 
        discriminate against a consumer or deny an otherwise qualified 
        consumer a financial product or service or offer a financial 
        product or service on less favorable terms and conditions, 
        except as permitted in subsection (d), because the consumer has 
        not provided the express consent described under subsection 
        (b).
            ``(2) Exception.--With respect to a consumer who has not 
        provided a financial institution with the express consent 
        described under subsection (b)--
                    ``(A) nothing in this section shall prohibit such 
                institution from denying the consumer a financial 
                product or service if the institution can not provide 
                such product or service to the consumer without such 
                express consent; and
                    ``(B) such institution shall not be required to 
                offer a financial product or service to the customer if 
                such product or service cannot be offered to the 
                consumer without such express consent.
    ``(d) Incentives and Discounts Permitted.--Nothing in this section 
shall be construed to prohibit a financial institution from offering 
reasonable incentives or discounts in exchange for a consumer providing 
the express consent described under subsection (b).
    ``(e) Consent Form Requirements.--An express consent form complies 
with the requirements of this subsection if it meets the following 
criteria:
            ``(1) It is a separate document, not attached to any other 
        document.
            ``(2) It is dated and signed by the consumer.
            ``(3) It clearly and conspicuously discloses that by 
        signing, the consumer is consenting to the disclosure to 
        nonaffiliated third parties of nonpublic personal information 
        pertaining to the consumer.
            ``(4) It clearly and conspicuously discloses--
                    ``(A) that the consent will remain in effect until 
                revoked by the consumer;
                    ``(B) that the consumer may revoke the consent at 
                any time; and
                    ``(C) the procedure for the consumer to revoke 
                consent.
            ``(5) It clearly and conspicuously informs the consumer 
        that--
                    ``(A) the financial institution will maintain the 
                form or a true and correct copy;
                    ``(B) the consumer is entitled to a copy of the 
                form upon request; and
                    ``(C) the consumer may want to make a copy of the 
                document for the consumer's records.
            ``(6) Such other criteria as the Bureau of Consumer 
        Financial Protection may determine appropriate.
    ``(f) Preexisting Contracts.--Notwithstanding the prohibition under 
subsection (a), until January 1, 2012, a financial institution may 
disclose nonpublic personal information to a nonaffiliated financial 
institution pursuant to a preexisting contract with the nonaffiliated 
financial institution for purposes of offering a financial product or 
service, if such contract was entered into on or before January 1, 
2011.
    ``(g) Limitation on the Sharing of Account Number Information for 
Marketing Purposes.--A financial institution shall not disclose, other 
than to a consumer reporting agency, an account number or similar form 
of access number or access code for a credit card account, debit card 
account, deposit account, or other transaction account of a consumer to 
any nonaffiliated third party for use in telemarketing, direct mail 
marketing, or other marketing through electronic mail to the consumer.

``SEC. 502A. OBLIGATIONS WITH RESPECT TO DISCLOSURES OF PERSONAL 
              INFORMATION TO AFFILIATES.

    ``(a) Notice Requirement.--A financial institution may not disclose 
a consumer's nonpublic personal information to an affiliate, or share 
such information with an affiliate, unless--
            ``(1) the financial institution has notified the consumer, 
        in the disclosure described under section 503(a), that the 
        nonpublic personal information may be disclosed to, or shared 
        with, an affiliate of the financial institution; and
            ``(2) the consumer has not directed that the nonpublic 
        personal information not be disclosed or shared.
    ``(b) Exceptions.--
            ``(1) Common systems exclusion.--For purposes of this 
        section, a financial institution shall not be deemed to have 
        disclosed information to, or shared information with, an 
        affiliate merely because--
                    ``(A) such information is--
                            ``(i) maintained in common information 
                        systems or databases, where employees of the 
                        financial institution and its affiliate have 
                        access to those common information systems or 
                        databases; and
                            ``(ii) subject to reasonable access 
                        controls consistent with whether or not the 
                        consumer has directed that the consumer's 
                        nonpublic personal information not be disclosed 
                        to affiliates; or
                    ``(B) a consumer accesses a website jointly 
                operated or maintained by or on behalf of the financial 
                institution and its affiliate.
            ``(2) Joint offerings with a nonaffiliated financial 
        institution.--The prohibition under subsection (a) shall not 
        apply to the release of a consumer's nonpublic personal 
        information by a financial institution with whom the consumer 
        has a relationship to a nonaffiliated financial institution for 
        purposes of jointly offering to the consumer a financial 
        product or service if the following requirements are met:
                    ``(A) The financial product or service is a product 
                or service of, and is provided by, at least one of the 
                financial institutions that is a party to the written 
                agreement described under subparagraph (C).
                    ``(B) The financial product or service is jointly 
                offered, endorsed, or sponsored, and clearly and 
                conspicuously identifies for the consumer the financial 
                institutions that disclose and receive the disclosed 
                nonpublic personal information.
                    ``(C) The release of the consumer's nonpublic 
                personal information is made pursuant to a written 
                agreement between the financial institutions and such 
                agreement provides that the financial institution that 
                receives the nonpublic personal information is required 
                to maintain the confidentiality of the information and 
                is prohibited from disclosing or using the information 
                other than to carry out the joint offering or servicing 
                of the financial product or service that is the subject 
                of the written agreement.
                    ``(D) The consumer has not directed that the 
                consumer's nonpublic personal information not be 
                disclosed.
            ``(3) Information sharing among related entities.--
                    ``(A) In general.--The prohibition under subsection 
                (a) shall not apply to the sharing of nonpublic 
                personal information between a financial institution 
                and its wholly owned financial institution subsidiary, 
                among financial institutions that are each wholly owned 
                by the same financial institution, among financial 
                institutions that are wholly owned by the same holding 
                company, or among the insurance and management entities 
                of a single insurance holding company system consisting 
                of one or more reciprocal insurance exchanges which 
                have a single corporation or its wholly owned 
                subsidiaries providing management services to the 
                reciprocal insurance exchanges if the following 
                requirements are met:
                            ``(i) The financial institution disclosing 
                        the nonpublic personal information and the 
                        entity receiving it are regulated by the same 
                        functional regulator. Notwithstanding the 
                        previous sentence, an insurer admitted in a 
                        State to transact insurance and licensed to 
                        write insurance policies shall be deemed to 
                        meet the requirement of this clause.
                            ``(ii) The financial institution disclosing 
                        the nonpublic personal information and the 
                        entity receiving it are both principally 
                        engaged in the same line of business, and such 
                        line of business is one, and only one, of the 
                        following lines of business:
                                    ``(I) Insurance.
                                    ``(II) Banking.
                                    ``(III) Securities.
                            ``(iii) The financial institution 
                        disclosing the nonpublic personal information 
                        and the entity receiving it share a common 
                        brand, other than a brand consisting solely of 
                        a graphic element or symbol, within their 
                        trademark, service mark, or trade name, which 
                        is used to identify the source of the products 
                        and services provided.
                    ``(B) Rules of construction.--For purposes of this 
                paragraph:
                            ``(i) Determining the same functional 
                        regulator.--In determining whether two entities 
                        are regulated by the same functional 
                        regulator--
                                    ``(I) entities whose functional 
                                regulator is the Office of the 
                                Comptroller of the Currency, the Board 
                                of Governors of the Federal Reserve 
                                System, the National Credit Union 
                                Administration, or a State regulator of 
                                depository institutions shall be deemed 
                                to be regulated by the same functional 
                                regulator; and
                                    ``(II) entities whose functional 
                                regulator is the Securities and 
                                Exchange Commission, the United States 
                                Department of Labor, or a State 
                                securities regulator shall be deemed to 
                                be regulated by the same functional 
                                regulator.
                            ``(ii) Wholly owned financial institution 
                        subsidiary.--The term `wholly owned financial 
                        institution subsidiary' includes a financial 
                        institution subsidiary wholly owned indirectly 
                        in a chain of one or more wholly owned 
                        financial institution subsidiaries.
            ``(4) Disclosure to affiliates permitted in certain 
        circumstances.--The prohibition under subsection (a) shall not 
        apply to a financial institution providing nonpublic personal 
        information to an affiliate to perform services for or 
        functions on behalf of the financial institution, if--
                    ``(A) the financial institution notifies the 
                consumer it is providing such information to the 
                affiliate; and
                    ``(B) the financial institution enters into a 
                contract with the affiliate under which the affiliate 
                agrees to maintain the confidentiality of such 
                information.
            ``(5) Additional exclusions.--The prohibition under 
        subsection (a) shall not apply to the disclosure of nonpublic 
        personal information--
                    ``(A) as necessary to effect, administer, or 
                enforce a transaction--
                            ``(i) requested or authorized by the 
                        consumer; or
                            ``(ii) in connection with--
                                    ``(I) servicing or processing a 
                                financial product or service requested 
                                or authorized by the consumer;
                                    ``(II) maintaining or servicing the 
                                consumer's account with the financial 
                                institution, or with another entity as 
                                part of a private label credit card 
                                program or other extension of credit on 
                                behalf of such entity; or
                                    ``(III) a proposed or actual 
                                securitization, secondary market sale 
                                (including sales of servicing rights), 
                                or similar transaction related to a 
                                transaction of the consumer;
                    ``(B) with the express consent or at the direction 
                of the consumer for a specific transaction;
                    ``(C) as reasonably necessary to protect the 
                confidentiality or security of the financial 
                institution's records pertaining to the consumer, the 
                service or product, or the transaction therein;
                    ``(D) as reasonably necessary to protect against or 
                prevent actual or potential fraud, unauthorized 
                transactions, claims, or other liability;
                    ``(E) as reasonably necessary for required 
                institutional risk control;
                    ``(F) to resolve customer disputes or inquiries;
                    ``(G) to persons holding a legal or beneficial 
                interest relating to the consumer;
                    ``(H) to persons acting in a fiduciary or 
                representative capacity on behalf of the consumer;
                    ``(I) as reasonably necessary to provide 
                information to insurance rate advisory organizations, 
                guaranty funds or agencies, applicable rating agencies 
                of the financial institution, persons assessing the 
                institution's compliance with industry standards, and 
                the institution's attorneys, accountants, and auditors;
                    ``(J) to the extent specifically required under 
                other provisions of law and in accordance with the 
                Right to Financial Privacy Act of 1978, to law 
                enforcement agencies (including a Federal functional 
                regulator, the Secretary of the Treasury under 
                subchapter II of chapter 53 of title 31, United States 
                Code, and chapter 2 of title I of Public Law 91-508 (12 
                U.S.C. 1951-1959), a State insurance authority, or the 
                Federal Trade Commission), self-regulatory 
                organizations, or for an investigation on a matter 
                related to public safety;
                    ``(K) to a consumer reporting agency in accordance 
                with the Fair Credit Reporting Act;
                    ``(L) from a consumer report reported by a consumer 
                reporting agency;
                    ``(M) in connection with a proposed or actual sale, 
                merger, transfer, or exchange of all or a portion of a 
                business or operating unit if the disclosure of 
                nonpublic personal information concerns solely 
                consumers of such business or unit;
                    ``(N) to comply with Federal, State, or local laws, 
                rules, or other applicable legal requirements;
                    ``(O) to comply with a properly authorized civil, 
                criminal, or regulatory investigation or subpoena or 
                summons by Federal, State, or local authorities; or
                    ``(P) to respond to judicial process or government 
                regulatory authorities having jurisdiction over the 
                financial institution for examination, compliance, or 
                other purposes as authorized by law.
    ``(c) Construction.--Nothing in this section shall be construed as 
prohibiting a financial institution from disclosing or sharing 
nonpublic personal information as otherwise specifically permitted 
under this title.
    ``(d) Non-Discriminatory Treatment.--
            ``(1) In general.--A financial institution shall not 
        discriminate against a consumer or deny an otherwise qualified 
        consumer a financial product or service or offer a financial 
        product or service on less favorable terms and conditions 
        because the consumer has directed that the nonpublic personal 
        information of the consumer not be disclosed.
            ``(2) Exception.--With respect to a consumer who has 
        directed that the nonpublic personal information of the 
        consumer not be disclosed--
                    ``(A) nothing in this section shall prohibit a 
                financial institution from denying the consumer a 
                financial product or service if the institution can not 
                provide such product or service to the consumer without 
                making such disclosure; and
                    ``(B) such institution shall not be required to 
                offer a financial product or service to the customer if 
                such product or service cannot be offered to the 
                consumer without such disclosure.
    ``(e) Compliance With Section 502 Requirements Satisfies This 
Section.--The prohibition under subsection (a) shall not apply to 
disclosures made to an affiliate of a financial institution if, with 
respect to such affiliate, the financial institution has provided the 
consumer with the notice required under section 502(a) and received the 
express consent described under section 502(b), to the same extent as 
would be required for making a disclosure to a nonaffiliated third 
party under that section.
    ``(f) Limits on Reuse of Information.--Except as otherwise provided 
in this subtitle, an affiliate that receives from a financial 
institution nonpublic personal information shall not, directly or 
through an affiliate, disclose such information to any other person 
that is a nonaffiliated third party of both the financial institution 
and such affiliate, unless such disclosure would be permitted if made 
directly to such person by the financial institution.'';
            (3) in section 503--
                    (A) by striking subsections (b), (d), and (e);
                    (B) by redesignating subsection (c) as subsection 
                (b);
                    (C) in paragraph (1) of subsection (b), as so 
                redesignated, by inserting after ``subtitle,'' the 
                following: ``and with respect to disclosing nonpublic 
                personal information to affiliates, consistent with 
                section 502A of this subtitle,''; and
                    (D) by adding at the end the following new 
                subsections:
    ``(c) Model Disclosure Form.--
            ``(1) In general.--The Board of Governors of the Federal 
        Reserve System (before the designated transfer date) and the 
        Bureau of Consumer Financial Protection (on and after the 
        designated transfer date) shall develop a model disclosure form 
        (hereinafter in this section referred to as the `model form') 
        to be used by financial institutions that seek the consent of a 
        consumer to disclose nonpublic personal information. The model 
        form shall meet all of the following requirements:
                    ``(A) The model form shall have the title 
                `IMPORTANT PRIVACY CHOICES FOR CONSUMERS' and the 
                headers, if applicable, shall be as follows: `Restrict 
                Information Sharing With Companies We Own Or Control 
                (Affiliates)' and `Restrict Information Sharing With 
                Other Companies We Do Business With To Provide 
                Financial Products And Services'.
                    ``(B) The title and headers shall be clearly and 
                conspicuously displayed, and no text in the form shall 
                be smaller than 10-point type.
                    ``(C) The model form shall be designed to call 
                attention to the nature and significance of the 
                information in the form.
                    ``(D) The model form shall present information in 
                clear and concise sentences, paragraphs, and sections.
                    ``(E) The model form shall use short explanatory 
                sentences (an average of 15-20 words) or bullet lists 
                whenever possible.
                    ``(F) The model form shall avoid multiple 
                negatives, legal terminology, and highly technical 
                terminology whenever possible.
                    ``(G) The model form shall avoid explanations that 
                are imprecise and readily subject to different 
                interpretations.
                    ``(H) The model form provides wide margins, ample 
                line spacing, and uses boldface or italics for key 
                words.
                    ``(I) The model form may not be more than one page.
                    ``(J) The model form shall meet minimal clarity and 
                readability standards.
            ``(2) Satisfaction of requirements.--Use of the model form 
        shall be presumed to satisfy the notice requirements of this 
        section.
            ``(3) Alternate forms.--If a financial institution uses a 
        form other than the model form--
                    ``(A) the financial institution may submit that 
                form to the Board of Governors of the Federal Reserve 
                System (before the designated transfer date) and the 
                Bureau of Consumer Financial Protection (on and after 
                the designated transfer date) for approval, and that 
                approval shall constitute a rebuttable presumption that 
                the form complies with this section; and
                    ``(B) that form shall be filed with the Board of 
                Governors of the Federal Reserve System (before the 
                designated transfer date) and the Bureau of Consumer 
                Financial Protection (on and after the designated 
                transfer date) within 30 days after it is first used.
    ``(d) Additional Requirements.--
            ``(1) Use of examples and explanations.--A financial 
        institution shall not be in violation of this section solely 
        because the institution includes on the disclosure form one or 
        more brief examples or explanations of the purpose or purposes 
        for, or context within, which information will be shared, as 
        long as those examples meet clarity and readability standards 
        established by the Board of Governors of the Federal Reserve 
        System.
            ``(2) Envelope requirements.--If sent in an envelope, the 
        outside of the envelope in which the disclosure form is sent to 
        the consumer shall clearly state in 16-point boldface type 
        `IMPORTANT PRIVACY CHOICES'. This requirement shall not apply 
        if the form is sent to a consumer in the same envelope as a 
        bill, account statement, or application requested by the 
        consumer.
            ``(3) Mailing requirements.--The form may be sent in any of 
        the following ways:
                    ``(A) With a bill, other statement of account, or 
                application requested by the consumer, in which case 
                the information required by this title may also be 
                included in the same envelope.
                    ``(B) As a separate notice or with the information 
                required by this title, and including only information 
                related to privacy.
                    ``(C) With any other mailing, in which case it 
                shall be the first page of the mailing.
            ``(4) Consumer direction on disclosures.--The consumer 
        shall be provided a reasonable opportunity prior to disclosure 
        of nonpublic personal information to direct that nonpublic 
        personal information not be disclosed. A consumer may direct at 
        any time that his or her nonpublic personal information not be 
        disclosed. A financial institution shall comply with a 
        consumer's directions concerning the sharing of his or her 
        nonpublic personal information within 45 days of receipt by the 
        financial institution. When a consumer directs that nonpublic 
        personal information not be disclosed, that direction is in 
        effect until otherwise stated by the consumer. A financial 
        institution that has not provided a consumer with annual notice 
        pursuant to this section shall provide the consumer with a form 
        that meets the requirements of this section, and shall allow 45 
        days to lapse from the date of providing the form in person or 
        the postmark or other postal verification of mailing before 
        disclosing nonpublic personal information pertaining to the 
        consumer.
            ``(5) Non-continuing relationship.--If a financial 
        institution does not have a continuing relationship with a 
        consumer other than the initial transaction in which the 
        product or service is provided, no annual disclosure 
        requirement exists pursuant to this section as long as the 
        financial institution provides the consumer with the form 
        required by this section at the time of the initial 
        transaction.
            ``(6) Response alternatives.--
                    ``(A) In general.--A financial institution shall 
                include a self-addressed return envelope with the 
                notice required under subsection (a) and a financial 
                institution with assets of more than $25,000,000 
                shall--
                            ``(i) additionally provide such envelope 
                        stamped with first class business reply 
                        postage; or
                            ``(ii) provide two alternative cost-free 
                        means for consumers to communicate their 
                        privacy choices, such as calling a toll-free 
                        number, sending a facsimile to a toll-free 
                        telephone number, or using electronic means.
                    ``(B) Contact information.--A financial institution 
                shall clearly and conspicuously disclose in the 
                disclosure required by this section the information 
                necessary to direct the consumer on how to communicate 
                his or her choices, including the toll-free or 
                facsimile number or website address that may be used, 
                if those means of communication are offered by the 
                financial institution.
            ``(7) Joint disclosures.--A financial institution may 
        provide a joint disclosure from it and one or more of its 
        affiliates or other financial institutions, as identified in 
        the disclosure, so long as the disclosure is accurate with 
        respect to the financial institution and the affiliates and 
        other financial institutions.
            ``(8) Rule of construction.--Nothing in this section may be 
        construed as prohibiting a financial institution from marketing 
        its own products and services or the products and services of 
        affiliates or nonaffiliated third parties to customers of the 
        financial institution as long as--
                    ``(A) nonpublic personal information is not 
                disclosed in connection with the delivery of the 
                applicable marketing materials to those customers, 
                except as permitted under section 502; and
                    ``(B) in the case in which the applicable 
                nonaffiliated third party may extrapolate nonpublic 
                personal information about the consumer responding to 
                those marketing materials, the applicable nonaffiliated 
                third party has signed a contract with the financial 
                institution under the terms of which--
                            ``(i) the nonaffiliated third party is 
                        prohibited from using that information for any 
                        purpose other than the purpose for which it was 
                        provided, as set forth in the contract; and
                            ``(ii) the financial institution has the 
                        right by audit, inspections, or other means to 
                        verify the nonaffiliated third party's 
                        compliance with that contract.
            ``(9) Treatment of members of a single household.--A notice 
        provided to a member of a household shall be considered notice 
        to all members of that household unless that household contains 
        another individual who also has a separate account with the 
        financial institution.
            ``(10) Electronic disclosure.--
                    ``(A) In general.--Notwithstanding subsection (a), 
                the disclosure required under that subsection may only 
                be made in electronic form if the following 
                requirements are met:
                            ``(i) The disclosure, and the manner in 
                        which the consent for electronic disclosures is 
                        obtained, meets all of the requirements for 
                        disclosures that are required by law to be in 
                        writing, as set forth in section 101 of the 
                        Electronic Signatures in Global and National 
                        Commerce Act.
                            ``(ii) All other requirements applicable to 
                        the disclosure, as set forth in this subtitle, 
                        are met, including requirements concerning 
                        content, timing, form, and delivery.
                            ``(iii) The disclosure is delivered to the 
                        consumer in a form the consumer may keep and 
                        print.
                    ``(B) No envelope required.--An electronic notice 
                sent pursuant to this section is not required to 
                include a return envelope.
                    ``(C) Electronic reply.--Any electronic consumer 
                reply to an electronic disclosure sent pursuant to this 
                subtitle is effective. A person that electronically 
                sends a disclosure required by this subtitle to a 
                consumer may not by contract, or otherwise, eliminate 
                the effectiveness of the consumer's electronic reply.
                    ``(D) Effect on electronic signatures in global and 
                national commerce act.--This subtitle modifies the 
                provisions of section 101 of the Electronic Signatures 
                in Global and National Commerce Act. However, it does 
                not modify, limit, or supersede the provisions of 
                subsection (c), (d), (e), (f), or (h) of section 101 of 
                the Electronic Signatures in Global and National 
                Commerce Act, nor does it authorize electronic delivery 
                of any disclosure of the type described in subsection 
                (b) of section 103 of such Act.
            ``(11) Affinity partners.--
                    ``(A) Affinity cards.--When a financial institution 
                and an organization or business entity that is not a 
                financial institution (hereinafter in this paragraph 
                referred to as an `affinity partner') has an agreement 
                to issue a credit card in the name of the affinity 
                partner (hereinafter in this paragraph referred to as 
                an `affinity card'), the financial institution may only 
                disclose to the affinity partner in whose name the card 
                is issued the following information pertaining to the 
                financial institution's customers who are in receipt of 
                the affinity card:
                            ``(i) The name, address, telephone number, 
                        and electronic mail address of the customers.
                            ``(ii) The record of purchases made using 
                        the affinity card in a business establishment, 
                        including a website, bearing the brand name of 
                        the affinity partner.
                    ``(B) Affinity financial product or service.--When 
                a financial institution and an affinity partner have an 
                agreement to issue a financial product or service, 
                other than a credit card, on behalf of the affinity 
                partner (hereinafter in this paragraph referred to as 
                an `affinity financial product or service'), the 
                financial institution may only disclose to the affinity 
                partner the name, address, telephone number, and 
                electronic mail address of the financial institution's 
                customers who obtained the affinity financial product 
                or service.
                    ``(C) Additional requirements.--The disclosures 
                permitted under subparagraphs (A) and (B) may only be 
                made if all of the following requirements are met:
                            ``(i) The financial institution has 
                        provided the consumer a notice meeting the 
                        requirements of subsection (a), and the 
                        consumer has not directed that the consumer's 
                        nonpublic personal information not be 
                        disclosed.
                            ``(ii) The financial institution has a 
                        contractual agreement with the affinity partner 
                        that requires the affinity partner to maintain 
                        the confidentiality of the nonpublic personal 
                        information and prohibits affinity partners 
                        from using the information for any purpose 
                        other than verifying membership, verifying the 
                        consumer's contact information, or offering the 
                        affinity partner's own products or services to 
                        the consumer.
                            ``(iii) The customer list is not disclosed 
                        in any way that reveals or permits 
                        extrapolation of any additional nonpublic 
                        personal information about any customer on the 
                        list.
                    ``(D) Electronic mail notices.--If an affinity 
                partner sends any message to any electronic mail 
                addresses obtained from a financial institution, the 
                message shall include the following:
                            ``(i) The identity of the sender of the 
                        message.
                            ``(ii) The identity of the entity that 
                        provided the electronic mail address to the 
                        affinity partner.
                            ``(iii) A cost-free means for the recipient 
                        to notify the sender not to electronically mail 
                        any further message to the recipient.
                    ``(E) Exception.--This paragraph shall not apply to 
                credit cards issued--
                            ``(i) in the name of an entity primarily 
                        engaged in retail sales; or
                            ``(ii) in a name proprietary to an entity 
                        primarily engaged in retail sales.
    ``(e) Annually Defined.--For purposes of this section and with 
respect to a relationship between a financial institution and a 
consumer, the term `annually' means at least once in any period of 12 
consecutive months during which that relationship exists. The financial 
institution may define the 12-consecutive-month period, but shall apply 
it to the consumer on a consistent basis.
    ``(f) Non-Applicability of Written Notice in Certain 
Circumstances.--Nothing in this subtitle shall be construed as 
requiring a financial institution to provide a written notice to a 
consumer pursuant to section 502 or 502A if the financial institution 
does not disclose nonpublic personal information to any nonaffiliated 
third party or to any affiliate, except as allowed in this subtitle.'';
            (4) by amending section 504 to read as follows:

``SEC. 504. RULEMAKING.

    ``Such regulations as may be necessary to carry out the purposes of 
this subtitle shall be prescribed--
            ``(1) before the designated transfer date, by each of the 
        Federal banking agencies, the National Credit Union 
        Administration, the Secretary of the Treasury, the Securities 
        and Exchange Commission, and the Federal Trade Commission, 
        after consultation as appropriate with representatives of State 
        insurance authorities designated by the National Association of 
        Insurance Commissioners; and
            ``(2) on and after the designated transfer date, by the 
        Bureau of Consumer Financial Protection.'';
            (5) in section 505--
                    (A) by redesignating subsections (b), (c), and (d) 
                as subsections (c), (d), and (e), respectively;
                    (B) by inserting after subsection (a) the following 
                new subsection:
    ``(b) Transfer of Responsibility to the Bureau of Consumer 
Financial Protection.--Notwithstanding subsection (a), on the 
designated transfer date, the enforcement powers of the Federal 
functional regulators under this subtitle shall be transferred to the 
Bureau of Consumer Financial Protection.''; and
                    (C) in subsection (c)(1), as redesignated, by 
                striking ``, to the extent practicable, as standards 
                prescribed pursuant to section 39(a) of the Federal 
                Deposit Insurance Act are implemented pursuant to such 
                section'';
            (6) in section 509, by adding at the end the following new 
        paragraph:
            ``(12) Designated transfer date.--The term `designated 
        transfer date' shall have the meaning given such term under 
        section 1062 of the Consumer Financial Protection Act of 
        2010.''; and
            (7) in the table of contents, by striking the item relating 
        to section 502 and inserting the following new items:

``Sec. 502. Obligations with respect to disclosures of personal 
                            information to nonaffiliated third parties.
``Sec. 502A. Obligations with respect to disclosures of personal 
                            information to affiliates.''.
    (b) Effective Date.--This Act, and the amendments made by this Act, 
shall take effect on January 1, 2012.
                                 <all>