WikiLeaks Document Release http://wikileaks.org/wiki/CRS-RS21614 February 2, 2009 Congressional Research Service Report RS21614 Comparison of Californias Financial Information Privacy Act of 2003 with Federal Privacy Provisions M. Maureen Murphy, American Law Division Updated January 6, 2004 Abstract. The California Financial Information Privacy Act, enacted on August 28, 2003, and effective on July 1, 2004, governs the rights of California residents with respect to the dissemination of nonpublic personal information by financial institutions. This report compares the California privacy act with federal privacy provisions. Order Code RS21614 Updated January 6, 2004 CRS Report for Congress Received through the CRS Web Comparison of California's Financial Information Privacy Act of 2003 with Federal Privacy Provisions M. Maureen Murphy Legislative Attorney American Law Division http://wikileaks.org/wiki/CRS-RS21614 Summary The California Financial Information Privacy Act,1 enacted on August 28, 2003, and effective on July 1, 2004, governs the rights of California residents with respect to the dissemination of nonpublic personal information by financial institutions. In some respects, it diverges from two federal laws that impose restrictions on the dissemination of nonpublic personally identifiable customer information by financial information. Its major provisions include a requirement that before sharing nonpublic personal information with nonaffiliated third parties, financial institutions receive an affirmative consent, an opt-in, from their customers. Before such information may be shared with affiliates not in the same line of business and regulated by the same functional regulator, an opt-out notice is required. Wholly-owned subsidiaries and affiliates in the same line of business (securities, banking, or insurance) may share information, except medical information, without an opt-out or opt-in requirement. California's law was enacted just before Congress enacted the Fair and Accurate Credit Transactions Act (P.L. 108-159), which makes permanent federal statutory preemption of state regulation of information sharing among corporate affiliates that was set to expire on December 31, 2003, and limits the ability of affiliated companies to share consumer information for marketing solicitations. See CRS Report RS21449, Fair Credit Reporting Act: Preemption of State Law; CRS Report RL32121, Fair Credit Reporting Act: A Comparison of House and Senate Legislation; CRS Report RS21449, Fair Credit Reporting Act: Preemption of State Law, CRS Report RL31758, Financial Privacy: The Economics of Opt-In vs Opt-Out; and CRS Report RL31847, The Role of Information in Lending: The Cost of Privacy Restrictions. This report will be updated as warranted. 1 2003 Cal. Adv. Legis. Serv. 241 (West); 2003 Cal. Stat. Ch. 241. (Available September 3, 2003, in LEXIS, STATES Library, CACODE file. Congressional Research Service ~ The Library of Congress CRS-2 Background. There are two sets of federal rules for sharing of non-public personal information by financial institutions. One, under the Gramm-Leach-Bliley Act (GLBA), P.L. 106-102, applies to information sharing with non-affiliated third parties. The other, under the Fair Credit Reporting Act, specifically, the Fair Credit Reporting Act Amendments of 1996, P.L. 104-208, applies to information sharing among companies of the same corporate family or holding company, i.e., affiliates. GLBA prohibits financial institutions from sharing nonpublic personally identifiable customer information with non-affiliated third parties unless consumers are given an opportunity to prevent the disclosure, that is to opt out. Under its 1996 amendments, the Fair Credit Reporting Act (FCRA) preempts all state laws with respect to the exchange of information among affiliated entities, companies in the same corporate family. 15 U.S.C. § 1681t(b)(2). As amended in 2003, section 214 of P.L. 108-159, 117 Stat. 1952, the Fair and Accurate Credit Transactions Act of 2003, these preemptive provisions, due to expire at the end of 2003, were made permanent. An additional limitation was placed on information sharing among affiliated companies. Subject to certain exceptions, affiliated companies may not share customer information for marketing solicitations unless the consumer is provided clear and conspicuous notification that the information may be exchanged for such purposes and an opportunity and a simple method to opt-out. http://wikileaks.org/wiki/CRS-RS21614 The California Financial Information Privacy Act was enacted as the 1996 FCRA temporary preemption of state law was about to expire and contemporaneously with Congressional consideration of proposals to extend the FCRA preemption. Its provisions respecting information sharing among corporate affiliates are subject to the preemption provisions of the FCRA. Any provisions of the California law that relate to information sharing by financial institutions with non-affiliated third parties and that provide more protection than GLBA's privacy provisions would not be preempted. Current Legislation. Among the bills being considered by the 108th Congress are the following: H.R. 2622 (Representative Bachus), which has been reported by the House Financial Services Committee (H.Rept. 108-263) and passed by the House, would, among other things, make permanent the FCRA preemptions respecting information sharing among affiliates. H.R. 1766 (Representative Tiberi and Lucas), in addition to making the FCRA preemptions permanent, would give preemptive effect to GLBA's provisions respecting disclosure of nonpublic personal information by financial institutions, effectively establishing a national standard for disclosure of customer information by financial institutions. It would prevent states and local governments from imposing additional requirements, such as an opt-in for information sharing with non-affiliated third parties, more detailed or more frequent notice requirements, or increased protection for sensitive data. S. 660 (Sen. Johnson) would make the FCRA preemptions permanent, thereby preempting state laws or regulations restricting information sharing among corporate affiliates. CRS-3 California Financial Information Privacy Act. The following comparison with existing federal law is presented as a means of focusing on some of the issues that Congress has been examining. California Law Federal Law Nonaffiliated 3d Parties Opt-in for a financial institution to share Opt-out. non-public personal information (NPPI) with nonaffiliated third parties. "Affiliates" Entities controlled by or under common Same definition. Has no distinction for control with another entity. Has separate "wholly-owned affiliates." rules for wholly-owned financial affiliates that are in the same line of business (banking or insurance or http://wikileaks.org/wiki/CRS-RS21614 securities), regulated by the same functional regulator, and use the same brand. (Hereafter, wholly-owned affiliates.) Information Sharing Among Affiliates No opt-out or opt-in requirement for Permits all affiliates to share experience sharing of NPPI among wholly-owned and transaction information without an financial affiliates. Medical information opt-in or an opt-out. is excluded and may be shared only pursuant to another Cal. statute. Opt-out required for financial institutions to share non-experience or Opt-out for financial institution to share non-transaction information among NPPI information with affiliates other affiliates. than those meeting the criteria for "wholly-owned financial affiliates." No distinction for medical information. "Financial Institution" Excludes computer services, lawyers No such exclusions. (and possibly, accountants), and motor vehicle dealers assigning sales contracts to financial institutions in 30 days. "Consumer" or "Customer" Excludes beneficiaries of employee No such exclusions. benefit plan, group insurance plan, worker compensation plan, or trust. CRS-4 Consent Form for Opting In There must be: clear notice that it Not applicable. remains in effect until revoked; of procedures for revocation; and, that a copy may be requested. Signature required. Institution may not discriminate because consent has been withheld, but may offer incentive to obtain consent. Opt-Out Requirements Must provide an annual written notice to One time notice sufficient. No details the consumer that the financial of content and form specified by statute; institution may disclose NPPI to nor are there statutory requirements for affiliates and that the consumer has not self-addressed return envelopes, model yet opted out. notice and consent forms, or a means of http://wikileaks.org/wiki/CRS-RS21614 regulatory approval of forms. The If a common data base is maintained regulations provide more detail than the with affiliates, once the consumer has statute as to content and form for opted out, NPPI in that data base may not consent but are not as specific as is the be further disclosed or used by an California law. affiliate except as permitted. Statute contains detailed specifications regarding form and content of opt-out notice, including requirements for providing return envelopes and, in some instances, postage paid return envelopes. Statute provides a model form that acts as presumptive proof of compliance if used to notify of opt-out right. An alternative permits financial institutions to submit forms for approval by functional regulators. Joint Marketing Agreements Opt-out is required for joint marketing No opt-out requirement for joint agreements entered into after January 1, marketing agreements if the customer 2005 if certain conditions are met; has notice that the information will be otherwise opt-in is required. Conditions provided and the receiving institution require that the product or service be that agrees to maintain its confidentiality. of one of the parties, jointly offered with No further limitations on the services notice of the financial institutions that offered or notices to be provided with have the NPPI, and the agreement must those marketing offers. provide for confidentiality. CRS-5 Account Number No specific provision Account numbers may not be disclosed for marketing to nonaffiliated third parties. Annual Notice of Privacy Policy No requirement for annual notice of GLBA requires initial and annual notice privacy policy other than annual notice of financial institution's privacy policy that the institution may disclose NPPI to and specifies information to be affiliates and the customer has not opted included. out. Affinity Partnerships Requires a written confidentiality GLBA has no explicit provision for agreement. Limits information financial affinity agreements. institutions may provide to an affinity http://wikileaks.org/wiki/CRS-RS21614 partner with whom it issues a credit card or provides services, primarily to name, address, and record of purchases with affinity card. Exceptions Similar to those in GLBA. Explicitly Has an extensive list of exceptions. includes USA PATRIOT Act requirements, and various provisions permitting reporting suspected illegal activity, such as elder abuse or identity theft, and administering various programs­such as collection of child support, bone marrow donations. Enforcement Prescribes liability of up to $2,500 per Administrative enforcement by consumer for each violation, up to functional regulators­federal banking $500,000, enforceable by the California and securities regulators; state insurance Attorney General and the California and regulators, and FTC for entities not federal functional regulators. subject to other regulator.