---identifier: "/us/cfr/t17/s248.8"source: "ecfr"legal_status: "authoritative_unofficial"title: "17 CFR § 248.8 - Revised privacy notices."title_number: 17title_name: "Commodity and Securities Exchanges"section_number: "248.8"section_name: "Revised privacy notices."chapter_name: "SECURITIES AND EXCHANGE COMMISSION"part_number: "248"part_name: "REGULATIONS S-P, S-AM, AND S-ID"positive_law: falsecurrency: "2026-04-05"last_updated: "2026-04-05"format_version: "1.1.0"generator: "[email protected]"authority: "15 U.S.C. 78q, 78q-1, 784, 785, 78w, 78mm, 80a-30, 80a-37, 80b-4, 80b-11, 1681m(e), 1681s(b), 1681s-3 and note, 1681w(a)(1), 6801-6809, and 6825; Pub. L. 111-203, secs. 1088(a)(8), (a)(10), and sec. 1088(b), 124 Stat. 1376 (2010)."regulatory_source: "65 FR 40362, June 29, 2000, unless otherwise noted."cfr_part: "248"---
Identifier
/us/cfr/t17/s248.8
Currency
2026-04-05
Positive Law
No
Updated
2026-04-05
Chapter
Securities and Exchange Commission
Authority
15 U.S.C. 78q, 78q-1, 784, 785, 78w, 78mm, 80a-30, 80a-37, 80b-4, 80b-11, 1681m(e), 1681s(b), 1681s-3 and note, 1681w(a)(1), 6801-6809, and 6825; Pub. L. 111-203, secs. 1088(a)(8), (a)(10), and sec. 1... 15 U.S.C. 78q, 78q-1, 784, 785, 78w, 78mm, 80a-30, 80a-37, 80b-4, 80b-11, 1681m(e), 1681s(b), 1681s-3 and note, 1681w(a)(1), 6801-6809, and 6825; Pub. L. 111-203, secs. 1088(a)(8), (a)(10), and sec. 1088(b), 124 Stat. 1376 (2010).
# 248.8 Revised privacy notices.(a) *General rule.* Except as otherwise authorized in this subpart, you must not, directly or through any affiliate, disclose any nonpublic personal information about a consumer to a nonaffiliated third party other than as described in the initial notice that you provided to that consumer under § 248.4, unless:(1) You have provided to the consumer a clear and conspicuous revised notice that accurately describes your policies and practices;(2) You have provided to the consumer a new opt out notice;(3) You have given the consumer a reasonable opportunity, before you disclose the information to the nonaffiliated third party, to opt out of the disclosure; and(4) The consumer does not opt out.(b) *Examples.* (1) Except as otherwise permitted by §§ 248.13, 248.14, and 248.15, you must provide a revised notice before you:(i) Disclose a new category of nonpublic personal information to any nonaffiliated third party;(ii) Disclose nonpublic personal information to a new category of nonaffiliated third party; or(iii) Disclose nonpublic personal information about a former customer to a nonaffiliated third party, if that former customer has not had the opportunity to exercise an opt out right regarding that disclosure.(2) A revised notice is not required if you disclose nonpublic personal information to a new nonaffiliated third party that you adequately described in your prior notice.(c) *Delivery.* When you are required to deliver a revised privacy notice by this section, you must deliver it according to § 248.9.