The California Privacy Act and Effect on the Financial Services Industry

On August 18, 2003, the California Financial Information Privacy Act (CA Privacy Act) passed both houses of the California State Legislature, and was signed into law by Governor Gray Davis on August 27, 2003. The bill was first proposed by State Senator Jackie Speier four years ago and was heavily lobbied against by the financial services industry. The new California law expands the protections offered by the federal Gramm-Leach-Bliley Act (GLBA). The Legislature specifically found that the cross-industry affiliation permitted under the GLBA "increases the likelihood that the personal financial information of California residents will be widely shared among, between, and within companies," and that the GLBA’s policies to protect financial privacy "are inadequate to meet the privacy concerns of California residents." The law becomes operative on July 1, 2004.

The Legislature passed the bill while proposed state Proposition 977 was approaching its deadline for the last day of circulation. The proposition would have imposed more restrictive requirements on financial institutions than the CA Privacy Act because it required that consumers specifically consent to allowing the disclosure of their personal financial information "to another person or entity, including an affiliate."

The GLBA, which eliminated federal barriers to affiliations among banks, securities firms, insurance companies, and other financial service providers, provides protections to consumers with respect to the transfer and use of their nonpublic personal information by financial institutions. The GLBA requires that financial institutions disclose their disclosure policies and practices and prohibits them from disclosing consumers’ nonpublic personal financial information to a nonaffiliated party without first giving consumers the opportunity to "opt out" of sharing their personal, nonpublic financial information. The GLBA attempted to conserve the benefits and synergies of cross-industry affiliation resulting from the repeal of the Glass-Steagall Act prohibitions while providing privacy protections to consumers and establishing a level playing field for smaller institutions. Although, from the perspective of financial institutions, the new CA Privacy Act is more restrictive, it continues this balancing act in the exceptions it provides.

The debate between consumer and industry representatives has focused on two areas: affirmative acts on the part of the consumer, and sharing of information between affiliates. The GLBA’s "opt out" procedure requires the consumer to submit a consent form to obtain the protections of the act. The new CA Privacy Act converts the basic "opt out" into an "opt in" mechanism, thereby eliminating the need for an affirmative act on the part of the consumer to obtain the protection. Although the financial services industry would have to incur the expense of originating and mailing notices to their customers regardless of whether the notices are structured as "opt out" or "opt in," the most significant difference between these two mechanisms for according protection is the implication that consumers are less likely to respond to a notice that requires an affirmative act on their part. California’s "opt in" mechanism requires no affirmative act on the part of the consumer to obtain the protections; instead, the opposite occurs — a consumer would have to consent for the financial institution to be able to share the information.

Passive consumers who do not care about the release of their information, or who do not bother to read disclosure materials, are now as protected as the activist consumers who have already asserted their right to obtain protections under the GLBA. Other provisions of the Act provide an "opt out" mechanism for disclosure where none was required under federal law. Conceivably, consumers could now receive a GLBA "opt out" notice, a CA Privacy Act "opt out" notice for affiliate sharing, an "opt out" notice for sharing with a nonaffiliated third party pursuant to a joint marketing arrangement, and an "opt in" notice for general sharing with nonaffiliated third parties.

The basic prohibition in the CA Privacy Act which requires an "opt in" procedure for an exemption is found at section 4052.5, which provides that, except as described in the following sections of this Client Alert:

A financial institution shall not sell, share, transfer, or otherwise disclose nonpublic personal information to or with any nonaffiliated third parties without the explicit prior consent of the consumer to whom the nonpublic personal information relates.

Any information received cannot be disclosed to any other entity "unless the disclosure would be lawful if made directly to the other entity by the financial institution."

Although the GLBA did not cover affiliate sharing of personal financial information, the privacy protections it offers should be viewed in the context of the expansion of bank and bank holding company activities into the previously uncharted realms of securities, insurance, and possibly real estate brokerage activities. In the nearly four years since the GLBA was enacted, this context is now taken for granted, but it provides a background for understanding how privacy concerns have expanded from a focus on sharing between new affiliates in different industries to sharing between sister bank subsidiaries and the entities that have provided banking services to them for decades.

Instead of prohibiting or restricting affiliate sharing of nonpublic personal financial information, the GLBA simply required a study of affiliate sharing practices. No notice was required to be provided, and no permission needed to be obtained under federal law, before a financial institution could share this information with an affiliate. The drafters of the CA Privacy Act, unlike the drafters of the GLBA, appear to have assumed that less information sharing among financial institutions will result in more confidentiality of personal financial information.

The GLBA employs a very broad definition of "financial institution" as "any institution the business of which is engaging in financial activities." The CA Privacy Act adopts a similar definition. Congress intended that financial companies be allowed to become a radically different, more closely supervised holding company for a bank, unlike traditional bank holding companies formed under the federal Bank Holding Company Act. Similarly, financial subsidiaries of national and state banks were also permitted to engage in nontraditional activities for a bank, although these newly authorized activities were more limited than those of financial holding companies. Over time, as reflected in the federal bank regulations implementing the GLBA, the breadth of the term "financial activities" has come to include bank activities as well.

The CA Privacy Act requires that California consumers be given the opportunity to "opt out" of information sharing arrangements with affiliates. It prohibits a financial institution from sharing a consumer’s "nonpublic personal information with an affiliate unless the financial institution has clearly and conspicuously notified the consumer annually in writing that the nonpublic personal information may be disclosed to an affiliate of the financial institution and the consumer has not directed that the nonpublic personal information not be disclosed." §4053(b)(1). There are two major exceptions to this new restriction, for affiliates with common databases and for related financial institutions that are in the same line of business.

The first exception is available if a financial institution has notified the consumer annually in writing that the information may be disclosed to an affiliate, and the consumer has not opted out:

A financial institution does not disclose information to, or share information with, its affiliate merely because information is maintained in common information systems or databases, and employees of the financial institution and its affiliate have access to those common information systems or databases, or a consumer accesses a Web site jointly operated or maintained under a common name by or on behalf of the financial institution and its affiliate . . . .

Thus, banks that provide the opt out and annual notices and then combine their databases with those of their affiliates before July 1, 2004 will be able to take advantage of this exception.

The second exception is for affiliates regulated by the same functional regulator, engaged in the same line of business, and that share a common brand. Three lines of business are identified: insurance, banking and securities. Section 4053(c) provides:

Nothing . . . shall restrict or prohibit the sharing of nonpublic personal information between a financial institution and its wholly owned financial institution subsidiaries; among financial institutions that are each wholly owned by the same financial institution; among financial institutions that are wholly owned by the same holding company; or among the insurance and management entities of a single insurance holding company system consisting of one or more reciprocal insurance exchanges which has a single corporation or its wholly owned subsidiaries providing management services to the reciprocal insurance exchanges . . . .

This exception allows sister bank subsidiaries to share information with one another and with their bank holding company and other affiliates, but only if they are all wholly owned by the same entity. ("Functional regulator" is defined so that sister bank subsidiaries may have different state or federal charters, so long as they have a common brand.) Thus, affiliated banks that are not wholly owned but are controlled by the same person or entity will not be able to share information without going through the same opt out procedures as banks that plan to share information with insurance company or other nonbanking industry affiliates. Another exception is provided in the definition of "affiliate," which "does not include a joint employee of the entity and the affiliate"; franchisors, however, are included as affiliates. § 4052(d).

Affiliate Sharing

Smaller banks are more likely to use nonaffiliated third parties to provide the type of non-banking financial services to their customers that larger banks tend to provide through affiliates. Congress provided an exception in the GLBA for sharing information with a nonaffiliated third party where the third party was performing services for or on behalf of financial institutions, marketing the financial institutions’ own products or services, or where financial products or services were offered pursuant to joint agreements. This reflects Congress’ intent "to ensure that smaller financial institutions are not placed at a competitive disadvantage by a statutory regime that permits certain information to be shared freely within an affiliate structure while limiting the ability to share that same information with nonaffiliated third parties." The CA Privacy Act also tries to provide a level playing field for smaller institutions.

A financial institution may enter into a contract with a nonaffiliated financial institution on or before January 1, 2004, for purposes of offering a product or service and share information with that third party until January 1, 2005. The exception benefiting smaller banks provides that under certain conditions, the act:

Shall not prohibit the release of nonpublic personal information by a financial institution with whom the consumer has a relationship to a nonaffiliated financial institution for purposes of jointly offering a financial product or financial service pursuant to a written agreement . . . .

§ 4053(b)(2). After January 1, 2005, the contract must meet other requirements: it must involve a financial product or service provided by one of the parties to the agreement; the agreement must be jointly offered; and it must provide that the recipient of the information will agree to maintain confidentiality. Another provision favors smaller institutions by requiring that only larger banks, those with assets in excess of $25 million, include a self-addressed first class business reply return envelope with the required notice. § 4053(d)(6). Banks of all sizes are also permitted to provide other options for allowing consumers to communicate their privacy choices, which include providing a toll-free number, a fax number, or a Web site address. These notices, however, must meet the requirements of the federal Electronic Signatures in Global and National Commerce Act and must be "delivered" to the consumer.

Sharing with a Nonaffiliated Third Party

Special Exceptions

The CA Privacy Act provides several exceptions to its prohibition on the release of nonpublic personal financial information, including for example,

• with the consent of the consumer,
• in connection with a securitization
• to protect the security of the institution’s records or for institutional risk control,
• to prevent identity fraud or theft,
• for debt collection,
• released under a fiduciary capacity,
• to provide information to insurance rate advisory organizations,
• under the Right to Financial Privacy Act, to law enforcement agencies, etc., and
• under the USA PATRIOT Act.

§ 4056. The act provides a major exception for disclosure to affiliates and to nonaffiliate third party service providers, which allows release "in order for the affiliate or nonaffiliated third party to perform business or professional services, such as printing, mailing services, data processing or analysis, or customer surveys," provided that certain conditions are met. § 4056(b)(9).

A special limited disclosure is available when a financial institution offers an affinity credit card on behalf of a nonfinancial institution (such as a nonprofit group or trade association). § 4054.6. The affinity partner may receive limited disclosures under certain conditions if the opt out notice provides a separate choice for disclosure to affinity partners and the affinity partner is required to maintain confidentiality. A complete exemption is provided for credit cards (or private label cards) issued by banks on behalf of retailers. Disclosures are permitted in the case of credit cards issued on behalf of retailers when "necessary to effect, administer, or enforce" a transaction or "in connection with servicing or processing a financial product or service requested by the consumer, or in connection with maintaining or servicing the consumer’s account." §§ 4056(b); 4052(h).

Since the enactment of the GLBA, the City of Daly City and the Counties of San Mateo and Contra Costa have issued their own privacy ordinances with "opt in" provisions. These were challenged by two large national banks, Bank of America and Wells Fargo, which claimed that the ordinances were preempted under federal law. Bank of America, N.A., et al. v. City of Daly City, California, No. C 02-4343, (N.D. Cal., July 29, 2003). The plaintiffs argued that the ordinances were preempted under the Fair Credit Reporting Act (FCRA). The court found that FCRA does preempt State laws regarding affiliate information-sharing, holding, "States and local governments are free to enact law affording some protection to consumer privacy greater than that provided by federal law, but not with regard to the disclosure of information to affiliates." The court did not address whether the ordinances were preempted under the National Bank Act.

The CA Privacy Act specifically preempts local agency ordinances and regulations relating to the use and sharing of nonpublic personal information by financial institutions and for severability of any provision preempted by federal law. §§ 4058.7; 4059. The CA Privacy Act may be preempted under federal law even though the GLBA provides that a state statute is not inconsistent with its provisions if the State statute affords greater privacy protection to consumers. A court could find the act preempted under the National Bank Act or under the Fair Credit Reporting Act (FCRA). Congress is considering whether to extend the current FCRA preemption of state laws restricting affiliate sharing which will expire on January 1, 2004. It should be noted that even if state law is determined to be preempted with respect to federally chartered institutions, it may not be preempted with respect to state-chartered institutions.

The CA Privacy Act describes an opt out form that is "conclusively presumed to have satisfied the notice requirements," and is provided in Exhibit A to this Client Alert.

Financial institutions desiring to provide a consumer with the opportunity to opt in and permit sharing will have to devise their own forms for that purpose. No provision prohibits separate mailing of opt in and opt out notices.

The form may be included as a statement stuffer or sent separately with a special warning label; it may include the GLBA notice, may be a joint notice with one or more affiliates, and may be sent electronically. § 4054(c). There is no time limit for consumers to respond to a notice, but a financial institution must comply within 45 days of receipt. Section 4053 includes a clarity standard for forms of "a minimum Flesch reading ease score of 50." Also, any form other than that recommended must be filed with the state Office of Privacy Protection within 30 days of use. Approval of a form by the institution’s functional regulator will establish a rebuttable presumption that the form complies with the CA Privacy Act.

Finally, the CA Privacy Act provides civil penalties for its violation, to be pursued by the Attorney General, or the entity’s functional regulator. Penalties are available in two tiers, depending on whether the disclosure was negligent ($2,500 per individual violation; maximum award of $500,000) or willful (no maximum). Double penalties are provided if a violation results in identity theft.

EXHIBIT A

You have the following rights to restrict the sharing of personal and financial information with our affiliates (companies we own or control) and outside companies that we do business with. Nothing in this form prohibits the sharing of information necessary for us to follow the law, as permitted by law, or to give you the best service on your accounts with us. This includes sending you information about some other products or services.