Order Code RS21614
Updated January 6, 2004
CRS Report for Congress
Received through the CRS Web
Comparison of California’s Financial
Information Privacy Act of 2003 with Federal
Privacy Provisions
M. Maureen Murphy
Legislative Attorney
American Law Division
Summary
The California Financial Information Privacy Act,1 enacted on August 28, 2003,
and effective on July 1, 2004, governs the rights of California residents with respect to
the dissemination of nonpublic personal information by financial institutions. In some
respects, it diverges from two federal laws that impose restrictions on the dissemination
of nonpublic personally identifiable customer information by financial information. Its
major provisions include a requirement that before sharing nonpublic personal
information with nonaffiliated third parties, financial institutions receive an affirmative
consent, an opt-in, from their customers. Before such information may be shared with
affiliates not in the same line of business and regulated by the same functional regulator,
an opt-out notice is required. Wholly-owned subsidiaries and affiliates in the same line
of business (securities, banking, or insurance) may share information, except medical
information, without an opt-out or opt-in requirement. California’s law was enacted just
before Congress enacted the Fair and Accurate Credit Transactions Act (P.L. 108-159),
which makes permanent federal statutory preemption of state regulation of information
sharing among corporate affiliates that was set to expire on December 31, 2003, and
limits the ability of affiliated companies to share consumer information for marketing
solicitations. See CRS Report RS21449, Fair Credit Reporting Act: Preemption of
State Law; CRS Report RL32121, Fair Credit Reporting Act: A Comparison of House
and Senate Legislation; CRS Report RS21449, Fair Credit Reporting Act: Preemption
of State Law, CRS Report RL31758, Financial Privacy: The Economics of Opt-In vs
Opt-Out; and CRS Report RL31847, The Role of Information in Lending: The Cost of
Privacy Restrictions. This report will be updated as warranted.
1
2003 Cal. Adv. Legis. Serv. 241 (West); 2003 Cal. Stat. Ch. 241. (Available September 3,
2003, in LEXIS, STATES Library, CACODE file.
Congressional Research Service ˜ The Library of Congress
CRS-2
Background. There are two sets of federal rules for sharing of non-public personal
information by financial institutions. One, under the Gramm-Leach-Bliley Act (GLBA),
P.L. 106-102, applies to information sharing with non-affiliated third parties. The other,
under the Fair Credit Reporting Act, specifically, the Fair Credit Reporting Act
Amendments of 1996, P.L. 104-208, applies to information sharing among companies of
the same corporate family or holding company, i.e., affiliates. GLBA prohibits financial
institutions from sharing nonpublic personally identifiable customer information with
non-affiliated third parties unless consumers are given an opportunity to prevent the
disclosure, that is to opt out. Under its 1996 amendments, the Fair Credit Reporting Act
(FCRA) preempts all state laws with respect to the exchange of information among
affiliated entities, companies in the same corporate family. 15 U.S.C. § 1681t(b)(2). As
amended in 2003, section 214 of P.L. 108-159, 117 Stat. 1952, the Fair and Accurate
Credit Transactions Act of 2003, these preemptive provisions, due to expire at the end of
2003, were made permanent. An additional limitation was placed on information sharing
among affiliated companies. Subject to certain exceptions, affiliated companies may not
share customer information for marketing solicitations unless the consumer is provided
clear and conspicuous notification that the information may be exchanged for such
purposes and an opportunity and a simple method to opt-out.
The California Financial Information Privacy Act was enacted as the 1996
FCRA temporary preemption of state law was about to expire and contemporaneously
with Congressional consideration of proposals to extend the FCRA preemption. Its
provisions respecting information sharing among corporate affiliates are subject to the
preemption provisions of the FCRA. Any provisions of the California law that relate to
information sharing by financial institutions with non-affiliated third parties and that
provide more protection than GLBA’s privacy provisions would not be preempted.
Current Legislation. Among the bills being considered by the 108th Congress are
the following:
H.R. 2622 (Representative Bachus), which has been reported by the House Financial
Services Committee (H.Rept. 108-263) and passed by the House, would, among other
things, make permanent the FCRA preemptions respecting information sharing among
affiliates.
H.R. 1766 (Representative Tiberi and Lucas), in addition to making the FCRA
preemptions permanent, would give preemptive effect to GLBA’s provisions respecting
disclosure of nonpublic personal information by financial institutions, effectively
establishing a national standard for disclosure of customer information by financial
institutions. It would prevent states and local governments from imposing additional
requirements, such as an opt-in for information sharing with non-affiliated third parties,
more detailed or more frequent notice requirements, or increased protection for sensitive
data.
S. 660 (Sen. Johnson) would make the FCRA preemptions permanent, thereby
preempting state laws or regulations restricting information sharing among corporate
affiliates.
CRS-3
California Financial Information Privacy Act. The following comparison with
existing federal law is presented as a means of focusing on some of the issues that
Congress has been examining.
California Law
Federal Law
Nonaffiliated 3d Parties
Opt-in for a financial institution to share
Opt-out.
non-public personal information (NPPI)
with nonaffiliated third parties.
“Affiliates”
Entities controlled by or under common
Same definition. Has no distinction for
control with another entity. Has separate
“wholly-owned affiliates.”
rules for wholly-owned financial
affiliates that are in the same line of
business (banking or insurance or
securities), regulated by the same
functional regulator, and use the same
brand. (Hereafter, wholly-owned
affiliates.)
Information Sharing Among Affiliates
No opt-out or opt-in requirement for
Permits all affiliates to share experience
sharing of NPPI among wholly-owned
and transaction information without an
financial affiliates. Medical information
opt-in or an opt-out.
is excluded and may be shared only
pursuant to another Cal. statute.
Opt-out required for financial
institutions to share non-experience or
Opt-out for financial institution to share
non-transaction information among
NPPI information with affiliates other
affiliates.
than those meeting the criteria for
“wholly-owned financial affiliates.”
No distinction for medical information.
“Financial Institution”
Excludes computer services, lawyers
No such exclusions.
(and possibly, accountants), and motor
vehicle dealers assigning sales contracts
to financial institutions in 30 days.
“Consumer” or “Customer”
Excludes beneficiaries of employee
No such exclusions.
benefit plan, group insurance plan,
worker compensation plan, or trust.
CRS-4
Consent Form for Opting In
There must be: clear notice that it
Not applicable.
remains in effect until revoked; of
procedures for revocation; and, that a
copy may be requested. Signature
required. Institution may not
discriminate because consent has been
withheld, but may offer incentive to
obtain consent.
Opt-Out Requirements
Must provide an annual written notice to
One time notice sufficient. No details
the consumer that the financial
of content and form specified by statute;
institution may disclose NPPI to
nor are there statutory requirements for
affiliates and that the consumer has not
self-addressed return envelopes, model
yet opted out.
notice and consent forms, or a means of
regulatory approval of forms. The
If a common data base is maintained
regulations provide more detail than the
with affiliates, once the consumer has
statute as to content and form for
opted out, NPPI in that data base may not
consent but are not as specific as is the
be further disclosed or used by an
California law.
affiliate except as permitted.
Statute contains detailed specifications
regarding form and content of opt-out
notice, including requirements for
providing return envelopes and, in some
instances, postage paid return envelopes.
Statute provides a model form that acts
as presumptive proof of compliance if
used to notify of opt-out right. An
alternative permits financial institutions
to submit forms for approval by
functional regulators.
Joint Marketing Agreements
Opt-out is required for joint marketing
No opt-out requirement for joint
agreements entered into after January 1,
marketing agreements if the customer
2005 if certain conditions are met;
has notice that the information will be
otherwise opt-in is required. Conditions
provided and the receiving institution
require that the product or service be that
agrees to maintain its confidentiality.
of one of the parties, jointly offered with
No further limitations on the services
notice of the financial institutions that
offered or notices to be provided with
have the NPPI, and the agreement must
those marketing offers.
provide for confidentiality.
CRS-5
Account Number
No specific provision
Account numbers may not be disclosed
for marketing to nonaffiliated third
parties.
Annual Notice of Privacy Policy
No requirement for annual notice of
GLBA requires initial and annual notice
privacy policy other than annual notice
of financial institution’s privacy policy
that the institution may disclose NPPI to
and specifies information to be
affiliates and the customer has not opted
included.
out.
Affinity Partnerships
Requires a written confidentiality
GLBA has no explicit provision for
agreement. Limits information financial
affinity agreements.
institutions may provide to an affinity
partner with whom it issues a credit card
or provides services, primarily to name,
address, and record of purchases with
affinity card.
Exceptions
Similar to those in GLBA. Explicitly
Has an extensive list of exceptions.
includes USA PATRIOT Act
requirements, and various provisions
permitting reporting suspected illegal
activity, such as elder abuse or identity
theft, and administering various
programs–such as collection of child
support, bone marrow donations.
Enforcement
Prescribes liability of up to $2,500 per
Administrative enforcement by
consumer for each violation, up to
functional regulators–federal banking
$500,000, enforceable by the California
and securities regulators; state insurance
Attorney General and the California and
regulators, and FTC for entities not
federal functional regulators.
subject to other regulator.