Yes, that should be sufficient for Illinois privacy law purposes, provided that your agreement with the social media company complies with the federal law’s requirements in Regulation P. As explained in an Illinois Department of Financial and Professional Regulation (IDFPR) letter, the financial privacy requirements in the Illinois Banking Act incorporate all of the exceptions that apply under federal privacy laws — meaning that the exceptions under Regulation P also apply under Illinois law. Since you are likely relying on the exception in Section 13 of Regulation P (the exception for service providers and joint marketing), you should ensure that your agreement with the social media company meets the notice and contractual requirements under Section 13.
As to other possible concerns, there are many, such as non-disclosure provisions to prevent the company from selling your customers’ data. Due to the many possible issues, it may be advisable that bank counsel review the agreement before signing.
For resources related to our guidance, please see:
- Regulation P, 12 CFR 1016.13 (joint marketing exception, which applies in the event that you “(i) Provide the initial notice in accordance with §1016.4; and (ii) Enter into a contractual agreement with the third party that prohibits the third party from disclosing or using the information other than to carry out the purposes for which you disclosed the information. . .”)
- IDFPR Interpretive Letter 01-01 (explains how federal and Illinois financial privacy laws interact and concludes that the exceptions under federal law, including the joint marketing exception, also apply to the Illinois financial privacy requirements in Section 48.1 of the Illinois Banking Act)